From ebdd2ac0e5fc6b5cd058ccc77b30478478dc1e1e Mon Sep 17 00:00:00 2001 From: Betsy Gitelman <93718720+ebgitelman@users.noreply.github.com> Date: Tue, 10 Oct 2023 13:15:06 -0400 Subject: [PATCH 1/6] added info about other cloud providers and token --- .../planning/deployment_options/index.mdx | 2 +- .../01_postgres_access/index.mdx | 21 ++++++++++++------- 2 files changed, 14 insertions(+), 9 deletions(-) diff --git a/product_docs/docs/biganimal/release/planning/deployment_options/index.mdx b/product_docs/docs/biganimal/release/planning/deployment_options/index.mdx index b6a91bed1b3..a39b17b1c7e 100644 --- a/product_docs/docs/biganimal/release/planning/deployment_options/index.mdx +++ b/product_docs/docs/biganimal/release/planning/deployment_options/index.mdx @@ -18,7 +18,7 @@ When deploying in your cloud account, you need to set up your cloud service prov BigAnimal's cloud account offers a seamless deployment option if you don't want to set up a separate cloud account for your clusters. You can deploy a cluster in BigAnimal's cloud account instantly. !!! Note Note -Currently, when you deploy in BigAnimal's cloud account, you can use AWS or Google Cloud as your cloud provider. +Currently, when you deploy in BigAnimal's cloud account, you can use AWS or Google Cloud as your cloud provider. If you want to use your cloud account's Identity and Access Management (IAM) service for database authentication, you must deploy clusters in your own cloud account. If you deploy using BigAnimal's cloud account, the underlying cloud provider is hidden, so you can't manage IAM access. !!! diff --git a/product_docs/docs/biganimal/release/using_cluster/01_postgres_access/index.mdx b/product_docs/docs/biganimal/release/using_cluster/01_postgres_access/index.mdx index bd207325b1f..0e2151fc5cc 100644 --- a/product_docs/docs/biganimal/release/using_cluster/01_postgres_access/index.mdx +++ b/product_docs/docs/biganimal/release/using_cluster/01_postgres_access/index.mdx @@ -98,7 +98,7 @@ If you use a single database to host multiple schemas, create a database owner a ``` ## IAM authentication for Postgres -Any AWS user with an AWS account connected to a BigAnimal subscription who has the Postgres role of iam_aws can authenticate to the database using their AWS IAM credentials. +Any user with a cloud account connected to a BigAnimal subscription who has the Postgres IAM role iam_aws, iam_azure, or iam_gcp can authenticate to the database using their IAM credentials. ### Configuring IAM for Postgres @@ -109,32 +109,37 @@ Provision your cluster before configuring IAM for Postgres. 1. Select **Create Cluster** or **Save**. !!!note To turn on IAM authentication using the CLI, see [Using IAM authentication on AWS](/biganimal/latest/reference/cli/using_features/#iam-authentication-cli-commands). -1. In AWS, get the ARN of each IAM user requiring database access. In the AWS account connected to BigAnimal, use AWS Identity and Access Management (IAM) to perform user management. See the [AWS documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_manage.html). +1. From your cloud provider, get the user name of each IAM user requiring database access. In the cloud account connected to BigAnimal, use Identity and Access Management (IAM) to perform user management. See the [AWS documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_manage.html). -1. In Postgres, if the IAM role doesn’t exist yet, run this Postgres command: +1. In Postgres, if the IAM role doesn’t exist yet, use the `CREATE ROLE` command. For example, for AWS, use: ``` CREATE ROLE "iam_aws"; ``` -1. For each IAM user, run this Postgres command: +1. For each IAM user, run the `CREATE USER` Postgres command. For example, for AWS, use: ``` CREATE USER "" IN ROLE iam_aws; ``` + Where is the Amazon resource name. (For Azure, use the user principal name. For GCP, use the email address.) + ### Logging in to Postgres using IAM credentials -If IAM integration is configured for your cluster, you can log in to Postgres using your AWS Amazon Resource Name (ARN) and access key. Using this ARN + access key combination allows you to connect to your Postgres database using your AWS IAM standard credentials. +If IAM integration is configured for your cluster, you can log in to Postgres using your cloud credentials. Alternatively, you can use your token instead of your password. Logging in either way allows you to connect to your Postgres database using your cloud account's IAM standard credentials. + +For either method, you must first authenticate to your cloud service provider IAM to get your password or token. !!! Note You can continue to log in using your Postgres username and password. However, doing so doesn’t provide IAM authentication even if this feature is configured. -1. Using your AWS CLI or Cloud shell, obtain your ARN and access key. For guidance on obtaining your ARN and access key, see [Managing access keys for IAM users](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html). +1. Get your credentials for your IAM-managed cloud account. + - For AWS, your password is your access key (access key id + secret access key). To get your access key, see [get-access-key-info](https://docs.aws.amazon.com/cli/latest/reference/sts/get-access-key-info.html) To get your authorization token, see [get-authorization-token](https://docs.aws.amazon.com/cli/latest/reference/ecr-public/get-authorization-token.html). + - For GCP, to get your access token, see [Create a short-lived access token](https://cloud.google.com/iam/docs/create-short-lived-credentials-direct). + - For Azure, to get your access token, see [the get-access-token command](https://learn.microsoft.com/en-us/cli/azure/account?view=azure-cli-latest#az-account-get-access-token()). 1. Connect to Postgres using your IAM credentials. -1. When prompted for the password, enter your access key (``). ### Using IAM authentication CLI commands For information on integrating with IAM on AWS using the CLI, see [IAM authentication CLI commands](/biganimal/latest/reference/cli/using_features/#iam-authentication-cli-commands). - From acfb37bc67dfd86c0c051123c912d701a884478c Mon Sep 17 00:00:00 2001 From: Betsy Gitelman <93718720+ebgitelman@users.noreply.github.com> Date: Tue, 10 Oct 2023 13:19:23 -0400 Subject: [PATCH 2/6] Update product_docs/docs/biganimal/release/using_cluster/01_postgres_access/index.mdx --- .../release/using_cluster/01_postgres_access/index.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/product_docs/docs/biganimal/release/using_cluster/01_postgres_access/index.mdx b/product_docs/docs/biganimal/release/using_cluster/01_postgres_access/index.mdx index 0e2151fc5cc..a6732b94d2a 100644 --- a/product_docs/docs/biganimal/release/using_cluster/01_postgres_access/index.mdx +++ b/product_docs/docs/biganimal/release/using_cluster/01_postgres_access/index.mdx @@ -98,7 +98,7 @@ If you use a single database to host multiple schemas, create a database owner a ``` ## IAM authentication for Postgres -Any user with a cloud account connected to a BigAnimal subscription who has the Postgres IAM role iam_aws, iam_azure, or iam_gcp can authenticate to the database using their IAM credentials. +Any user with a supported cloud account connected to a BigAnimal subscription who has the Postgres IAM role iam_aws, iam_azure, or iam_gcp can authenticate to the database using their IAM credentials. ### Configuring IAM for Postgres From 7655ada4fb822788c767781db2a3753ef9410986 Mon Sep 17 00:00:00 2001 From: Betsy Gitelman <93718720+ebgitelman@users.noreply.github.com> Date: Tue, 10 Oct 2023 13:19:28 -0400 Subject: [PATCH 3/6] Update product_docs/docs/biganimal/release/using_cluster/01_postgres_access/index.mdx --- .../release/using_cluster/01_postgres_access/index.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/product_docs/docs/biganimal/release/using_cluster/01_postgres_access/index.mdx b/product_docs/docs/biganimal/release/using_cluster/01_postgres_access/index.mdx index a6732b94d2a..6da4347e279 100644 --- a/product_docs/docs/biganimal/release/using_cluster/01_postgres_access/index.mdx +++ b/product_docs/docs/biganimal/release/using_cluster/01_postgres_access/index.mdx @@ -109,7 +109,7 @@ Provision your cluster before configuring IAM for Postgres. 1. Select **Create Cluster** or **Save**. !!!note To turn on IAM authentication using the CLI, see [Using IAM authentication on AWS](/biganimal/latest/reference/cli/using_features/#iam-authentication-cli-commands). -1. From your cloud provider, get the user name of each IAM user requiring database access. In the cloud account connected to BigAnimal, use Identity and Access Management (IAM) to perform user management. See the [AWS documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_manage.html). +1. From your cloud provider, get the user name of each IAM user requiring database access. In the cloud account connected to BigAnimal, use Identity and Access Management (IAM) to perform user management. 1. In Postgres, if the IAM role doesn’t exist yet, use the `CREATE ROLE` command. For example, for AWS, use: From 8fd06d40bac0e0c4b3e879b51e259c177252af24 Mon Sep 17 00:00:00 2001 From: Betsy Gitelman <93718720+ebgitelman@users.noreply.github.com> Date: Thu, 12 Oct 2023 10:38:01 -0400 Subject: [PATCH 4/6] Update product_docs/docs/biganimal/release/using_cluster/01_postgres_access/index.mdx --- .../release/using_cluster/01_postgres_access/index.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/product_docs/docs/biganimal/release/using_cluster/01_postgres_access/index.mdx b/product_docs/docs/biganimal/release/using_cluster/01_postgres_access/index.mdx index 6da4347e279..da3fa84469f 100644 --- a/product_docs/docs/biganimal/release/using_cluster/01_postgres_access/index.mdx +++ b/product_docs/docs/biganimal/release/using_cluster/01_postgres_access/index.mdx @@ -135,7 +135,7 @@ For either method, you must first authenticate to your cloud service provider IA You can continue to log in using your Postgres username and password. However, doing so doesn’t provide IAM authentication even if this feature is configured. 1. Get your credentials for your IAM-managed cloud account. - - For AWS, your password is your access key (access key id + secret access key). To get your access key, see [get-access-key-info](https://docs.aws.amazon.com/cli/latest/reference/sts/get-access-key-info.html) To get your authorization token, see [get-authorization-token](https://docs.aws.amazon.com/cli/latest/reference/ecr-public/get-authorization-token.html). + - For AWS, your password is your access key (in the form :). To get your access key, see [get-access-key-info](https://docs.aws.amazon.com/cli/latest/reference/sts/get-access-key-info.html) To get your authorization token, see [get-authorization-token](https://docs.aws.amazon.com/cli/latest/reference/ecr-public/get-authorization-token.html). - For GCP, to get your access token, see [Create a short-lived access token](https://cloud.google.com/iam/docs/create-short-lived-credentials-direct). - For Azure, to get your access token, see [the get-access-token command](https://learn.microsoft.com/en-us/cli/azure/account?view=azure-cli-latest#az-account-get-access-token()). 1. Connect to Postgres using your IAM credentials. From 175fff048f504c54c85cf9183d5760245888e5ae Mon Sep 17 00:00:00 2001 From: Betsy Gitelman <93718720+ebgitelman@users.noreply.github.com> Date: Thu, 12 Oct 2023 11:05:37 -0400 Subject: [PATCH 5/6] Update product_docs/docs/biganimal/release/using_cluster/01_postgres_access/index.mdx --- .../release/using_cluster/01_postgres_access/index.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/product_docs/docs/biganimal/release/using_cluster/01_postgres_access/index.mdx b/product_docs/docs/biganimal/release/using_cluster/01_postgres_access/index.mdx index da3fa84469f..403a222f0e6 100644 --- a/product_docs/docs/biganimal/release/using_cluster/01_postgres_access/index.mdx +++ b/product_docs/docs/biganimal/release/using_cluster/01_postgres_access/index.mdx @@ -135,7 +135,7 @@ For either method, you must first authenticate to your cloud service provider IA You can continue to log in using your Postgres username and password. However, doing so doesn’t provide IAM authentication even if this feature is configured. 1. Get your credentials for your IAM-managed cloud account. - - For AWS, your password is your access key (in the form :). To get your access key, see [get-access-key-info](https://docs.aws.amazon.com/cli/latest/reference/sts/get-access-key-info.html) To get your authorization token, see [get-authorization-token](https://docs.aws.amazon.com/cli/latest/reference/ecr-public/get-authorization-token.html). + - For AWS, your password is your access key (in the form <access key id>:<secret access key>). To get your access key, see [get-access-key-info](https://docs.aws.amazon.com/cli/latest/reference/sts/get-access-key-info.html) To get your authorization token, see [get-authorization-token](https://docs.aws.amazon.com/cli/latest/reference/ecr-public/get-authorization-token.html). - For GCP, to get your access token, see [Create a short-lived access token](https://cloud.google.com/iam/docs/create-short-lived-credentials-direct). - For Azure, to get your access token, see [the get-access-token command](https://learn.microsoft.com/en-us/cli/azure/account?view=azure-cli-latest#az-account-get-access-token()). 1. Connect to Postgres using your IAM credentials. From 93464ef940433be8ac2eddcdca2574b5074a9266 Mon Sep 17 00:00:00 2001 From: Betsy Gitelman <93718720+ebgitelman@users.noreply.github.com> Date: Thu, 12 Oct 2023 11:06:08 -0400 Subject: [PATCH 6/6] Update product_docs/docs/biganimal/release/using_cluster/01_postgres_access/index.mdx --- .../release/using_cluster/01_postgres_access/index.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/product_docs/docs/biganimal/release/using_cluster/01_postgres_access/index.mdx b/product_docs/docs/biganimal/release/using_cluster/01_postgres_access/index.mdx index 403a222f0e6..51c5804f7fc 100644 --- a/product_docs/docs/biganimal/release/using_cluster/01_postgres_access/index.mdx +++ b/product_docs/docs/biganimal/release/using_cluster/01_postgres_access/index.mdx @@ -123,7 +123,7 @@ Provision your cluster before configuring IAM for Postgres. CREATE USER "" IN ROLE iam_aws; ``` - Where is the Amazon resource name. (For Azure, use the user principal name. For GCP, use the email address.) + Where <ARN> is the Amazon resource name. (For Azure, use the user principal name. For GCP, use the email address.) ### Logging in to Postgres using IAM credentials