Skip to main content
Version: 1.0

wf setup cloudidentity

wf setup cloudidentity

create/ensure an identity to access: gcp, aws, azure

Synopsis

Ensures a cloud identity exists in a cloud provider for Wayfinder to use for accessing one or more cloud APIs with least privilege.

You must be logged in to the relevant cloud in order for these commands to work:

You must also have created a cluster in the cloud provider in question:

  • For AWS, either:
    • Ensure you have an EKS cluster in which you plan to install, or have installed, Wayfinder.
    • You have installed Wayfinder on another cloud provider and need to provide Wayfinder access to any AWS account.
  • For Azure, either:
    • Ensure you have an AKS cluster in which you plan to install, or have installed, Wayfinder
    • You have installed Wayfinder on another cloud provider and need to provide Wayfinder access to any Azure subscription.
wf setup cloudidentity [flags]

Examples


# Add a cloud identity and, be prompted for all the values:
$ wf setup cloudidentity

# Create / update AWS role for the wayfinder management cluster where wayfinder is (or
# will be) installed, and configure an AWS KMS key for secrets encryption:
$ wf setup cloudidentity --cluster-name my-eks-cluster -c aws --wf-namespace wayfinder

# Create / update an Azure MSI identity for the wf management cluster where
# wf is (or will be) installed, and configure an Azure Vault key for secrets encryption:
$ wf setup cloudidentity --cluster-name my-aks-cluster -c azure --wf-namespace wayfinder

# When Wayfinder is NOT running in AWS, create / update an AWS user identity for Wayfinder to use and ensure the associated cloud-credential exists:
$ wf setup cloudidentity -c aws --wf-hosting-cloud other

# When Wayfinder is NOT running in AWS, REMOVE an AWS user identity and associated cloud-credential in Wayfinder:
$ wf setup cloudidentity -c aws --wf-hosting-cloud other --remove

# When Wayfinder is NOT running in Azure, create / update an Azure user identity for Wayfinder to use and ensure the associated cloud-credential exists:
$ wf setup cloudidentity -c azure --wf-hosting-cloud other --azure-subscription-id 123456678-ABCA-ABCA-ABCA-123456789101

Options

      --azure-subscription-id string   ID of Azure subscription in which to create a role to permit Wayfinder's access to your tenant
-c, --cloud string cloud to create/ensure identity for: gcp, aws, azure
-k, --cluster-name string name of the kubernetes cluster Wayfinder is (or will be) installed on in the cloud provider
--disable-aws-kms-setup disables AWS KMS key setup for Wayfinder secrets encryption (by default, KMS setup is enabled when using '-c aws')
--disable-azure-keyvault-setup disables Azure Key Vault key setup for Wayfinder secrets encryption (by default, Key Vault setup is enabled when using '-c azure')
-h, --help help for cloudidentity
--remove removes all IAM resources created and removes the associated Wayfinder cloudcredential
--wf-hosting-cloud string create/ensure a cloud identity suitable for when wayfinder is running on: gcp (GKE), aws (EKS), azure (AKS), other
-n, --wf-namespace string Kubernetes namespace Wayfinder is (or will be) installed in

Options inherited from parent commands

      --debug              Indicates we should use debug / trace logging (default: false)
--force Used to force an operation to happen (default: false)
--no-wait Indicates we should not wait for resources to provision
-o, --output string Output format of the resource (json,yaml,table,template) (default "table")
--profile string Use a profile other than your default for this command
--show-headers Indicates we should display headers on table out (default true)
--verbose Enables verbose logging for debugging purposes (default: false)
-w, --workspace string The workspace you are operating within

SEE ALSO

  • wf setup - Initialises dependencies required to run wayfinder