Documentation

Cloud Credentials

manager icon Manager | partner Partner

Before you can create your own project, you have to add a cloud. Now you can choose from OpenStack, AWS, Azure, or Google.
You just have to fill in the correct credentials from your account and Taikun will connect with them.

Use add cc btn button to Add Cloud Credentials. Choose which Cloud you want to add and fill in the required data. After you add new Cloud Credentials, you can use the Cloud as storage for your new projects.

OpenStack #

Requirements for Openstack

🔥
Warning

A Taikun image must already exist in the OpenStack Cloud. Requirement is an Ubuntu 20 image, we recommend using the most recent kernel (e.g. a base Ubuntu image with hwe kernel available here: https://repo.itera.io/repository/images/taikun-image.qcow2)

To use an image in Taikun you have to use the tags “taikun” and “ubuntu{number}”. By default Taikun takes an image with the latest {number}.

Command to add an image to OpenStack:

openstack image create –disk-format qcow2 –container-format bare –public –tag taikun –tag ubuntu20.04 –property hw_disk_bus=scsi –property hw_scsi_model=virtio-scsi taikun-focal-image –file taikun-image.qcow2

Adding your OpenStack Cloud credentials:

add cc openstack
  1. Switch to Cloud credentials in Taikun 

  2. Hit Add Cloud Credentials in the top-right corner

  3. Specify the following parameters in the OpenStack section:

    • Cloud Name – choose a name for your Cloud Credentials (3-30 characters, e.g. cloud-test)
    • User – your user name to OpenStack (e.g. user)
    • Password – your password to OpenStack (e.g. 123abc)
    • URL – Endpoint-Identity (e.g. https://cloud.mycloud.com:32132)
    • Domain – insert domain name (e.g. default)
    • Project – select Project if there are multiple options (e.g. my-cloud-project)
    • Region – select Region if there are multiple options (e.g. RegionOne)
    • Public Network – choose a network, if available (e.g. public2)
    • Optional:
      • Specify Availability Zone
      • Volume Types 
      • Enable Import Network

🔥
Warning

If you choose to import your network, DNS created in Access Profiles will be ignored.

Enable Import Network
🔥
Warning

If entered Credentials are invalid, you will be notified that Cloud cannot be connected.

Where to find the OpenStack credentials #

As you should know your username and password, the other data from OpenStack will be added to Taikun automatically after filling in the URL.

To find the URL:  

  1. Log into your OpenStack account 
  2. Locate the Project – API Access section in the left-hand navigation panel
  3. Find the Identity row and copy its Service Endpoint 
openstack url

Amazon Web Services (AWS) #

Adding your Amazon Web Services (AWS) Cloud credentials

add cc aws
  1. Switch to Cloud credentials in Taikun 

  2. Hit Add Cloud Credentials in the top-right corner

  3. Specify the necessary parameters in the Amazon Web Services section:

    • Cloud Name – choose a name for your Cloud Credentials (3-30 characters, e.g. cloud-test)
    • Access Key ID, Secret Access Key – input your AWS credentials
    • Region – choose a suitable region
    • Availability Zone – choose availability for a region 

Where to find the Amazon Web Services (AWS) security credentials #

  1. Log into your AWS account
  2. Click on your profile name in the top-right corner and access the Security credentials section
aws 1
  1. Here you can create a new Access key along with a Secret key in the Access key ID and secret access section
    • Alternatively, you can use your previous combination (as long as you have your Secret key)
aws 2

Additional AWS documentation

Azure #

Before adding the Azure account, you need to create an application registration with commands. (source)

ℹ️
Info

The provided instructions are specific to Linux. It might look different with another Operating System.

1) If you haven’t installed Azure CLI, you can do it with the following command:

sudo apt install azure-cli -y

2) Login

sudo apt-get install azure-cli

You will be redirected to an Azure page where you can choose your account:

Web login

CLI output will be similar to this: 

[
  {
    "cloudName": "AzureCloud",
    "id": "c0xxxxa5-xxx-4ecb-xxxx-f37bxxxx28d6",
    "isDefault": true,
    "name": "Bezplatná zkušební verze",
    "state": "Enabled",
    "tenantId": "32xxxxb3-xxx-46b3-xxxx-0exxxxc46d1",
    "user": {
      "name": "usermail@gmail.com",
      "type": "user"
    }
  }
]

You’ll need to fetch Azure Subscription ID (“id”) and Azure Tenant ID (“tenantID”) fields from the output. Here’s what we would use in our test instance:

"id": "c0xxxxa5-xxx-4ecb-xxxx-f37bxxxx28d6”

"tenantId": "32xxxxb3-xxx-46b3-xxxx-0exxxxc46d1"

3) Create a new Azure App with the following command: 

az ad app create --display-name kubernetes --identifier-uris http://kubernetes --homepage http://example.com --password CLIENT_SECRET

You’ll need to use your Client Secret in this command which can be deleted later (e.g. “Ue9)Qj^V\~UYES3(C”)

CLI output will look like this: 

{
  "acceptMappedClaims": null,
  "addIns": [],
  "allowGuestsSignIn": null,
  "allowPassthroughUsers": null,
! "appId": "7bxxxxc3-xxxx-4d74-xxxx-8c40xxxb558", !
  "appLogoUrl": null,
  "appPermissions": null,
  "appRoles": [],
  "applicationTemplateId": null,
  "availableToOtherTenants": false,
  "deletionTimestamp": null,
  "displayName": "kubernetes",
  "errorUrl": null,
  "groupMembershipClaims": null,
  "homepage": "http://example.com",
  "identifierUris": [
    "http://kubernetes"
  ],
  }
  ...
  {
    "adminConsentDescription": "Allow the application to access kubernetes on behalf of the signed-in user.",
    "adminConsentDisplayName": "Access kubernetes",
    "id": "59xxx87-xxxx-47b8-xxxx-1708xxxxefcd",
    "isEnabled": true,
    "type": "User",
    "userConsentDescription": "Allow the application to access kubernetes on your behalf.",
    "userConsentDisplayName": "Access kubernetes",
    "value": "user*impersonation"
  }
...
}

You’ll need to use the “appID” parameter from this output. In our example, it would be:


"appId": "7bxxxxc3-xxxx-4d74-xxxx-8c40xxxb558"

4) Create a service principal for the app:

az ad sp create --id appId

Use “appId” from the previous step here: 

az ad sp create -id 7bxxxxc3-xxxx-4d74-xxxx-8c40xxxb558

CLI output example:

{
  "accountEnabled": true,
  ...
}
...
"objectId": "85xxxxcb-xxxx-4761-xxxx-63fxxxx515e",
  "objectType": "ServicePrincipal",
  "odata.metadata": "https://graph.windows.net/32xxxxb3-xxxx-46b3-xxxx-0e33xxxx46d1/$metadata#directoryObjects/@Element",
  "odata.type": "Microsoft.DirectoryServices.ServicePrincipal",
}
...

5) Create a role assignment:

az role assignment create --role "Owner" --assignee http://kubernetes --subscription SUBSCRIPTION_ID

In this case, you will use the subscription ID from step №2:

az role assignment create --role "Owner" --assignee http://kubernetes --subscription c0xxxxa5-xxx-4ecb-xxxx-f37bxxxx28d6

You’ll find the following CLI output:

{
  "canDelegate": null,
  "id": "/subscriptions/c0xxxxa5-xxx-4ecb-xxxx-f37bxxxx28d6/providers/Microsoft.Authorization/roleAssignments/4fxxxx7f-xxxx-4ccf-xxxx-7287xxxxfa14",
  "name": "4fxxxx7f-xxxx-4ccf-xxxx-7287xxxxfa14",
  "principalId": "85xxxxcb-xxxx-4761-xxxx-63ffxxxx515e",
  "principalType": "ServicePrincipal",
  "roleDefinitionId": "/subscriptions/c0xxxxa5-xxx-4ecb-xxxx-f37bxxxx28d6/providers/Microsoft.Authorization/roleDefinitions/8exxxx57-xxxx-443c-xxxx-2fe8xxxxb635",
  "scope": "/subscriptions/c0xxxxa5-xxx-4ecb-xxxx-f37bxxxx28d6",
  "type": "Microsoft.Authorization/roleAssignments"
}

Please be careful when inserting the credentials. If you add incorrect credentials, you will not be able to add flavor and create a cluster.

You can switch to Taikun and add your Azure credentials now:

add cc azure 1
  1. Switch to Cloud credentials in Taikun 

  2. Hit Add Cloud Credentials in the top-right corner

  3. Specify the necessary parameters in the Azure section:
  • Cloud Name – choose a name for your Cloud Credentials (3-30 characters, e.g. cloud-test)
  • Azure Client ID
  • Azure Client Secret
  • Azure Tenant ID

Where to find the Azure credentials #

If you haven’t created your application via CLI, you can find the guidelines here.

Credentials for Azure are located in different tabs. Instructions on where to find them are posted below.

Please be careful when inserting the credentials. If you add incorrect credentials, you will not be able to add flavor and create a cluster.

Azure Client and Tenant Id
  • Azure Active Directory – App registrations – All Applications – application -> Application (client) ID (=Azure Client Id) and Directory (tenant) ID (Azure Tenant Id)
azure client tenant id 1
azure client tenant id 2
  • Azure Active Directory – App registrations – All Applications – application – Certificates & secrets – Client secrets -> Value (=Azure Secret Id)
azure client secret 1
azure client secret 2
azure client secret 3
azure client secret 4
🔥
Warning

Client Secret is shown only for the first time, we recommend to save it somewhere else.

Azure Subscription Id
ℹ️
Info

Subscription is chosen from drop-down selection, but you can find below where to find your Subscription ID.

  • Subscriptions -> Subscription ID (=Azure Subscription Id)
azure subscription 1
azure subscription 2

More information is provided in the Azure guideline

Google Cloud Platform (GCP) #

Adding your Google Cloud Platform (GCP) Cloud credentials

google credentials
  1. Switch to Cloud credentials in Taikun 

  2. Hit Add Cloud Credentials in the top-right corner

  3. Specify the necessary parameters in the Google section:

    • Cloud Name – choose a name for your Cloud Credentials (3-30 characters, e.g. cloud-test)
    • Import Project – Configure your GCE account without folder ID and billing account details
    • Folder ID and Config file find credentials in your GCE account (under My Security Credentials)
    • Region choose a suitable region
    • Zone Cont – choose availability for the region
    • Billing AccountHere you will see the billings account which is configured with your project and user

Where to find the Google Cloud Platform (GCP) security credentials #

  1. Go to console.cloud.google.com
  2. Select your project from the folder
project folder
  1. From the hamburger menu select IAM & Admin
IAM

  1. From the hamburger menu select IAM & Admin
service accounts
  1. Specify the necessary parameters in the Google section:

    • As you add the service account name it will automatically generate a service account id which you can copy for further steps
    • In the Service account description, you need to describe what this service account will do (Which is optional)
    • Click on create and continue
    • Region choose a suitable region
    • Grant this service account access to the project: Grant this service account access to the project so that it has permission to complete specific actions on the resources in your project. (optional)
    • Grant users access to this service account: Grant access to users or groups that need to perform actions as this service account. (optional)
    • Add id in selected project IAM – add – principal id what we created in service account with owner or editor role.
  1. Click on KEYS and ADD KEY:
    • For a new service account, you need to create a new key which will be a .json file if you have any existing key you can add that but the principal Id should be the same in the .json file as the service id
  1. Select the project’s folder and click on IAM from the hamburger menu
hamburger menu
  1. Click on add to roles for service account: in the new principal, you have to add the id which you created in the service account
new principal
📄
Note

You can find ID in downloaded .json file

Billing Account

  1. Select your project again and select billing from the hamburger menu
billing
  1. Click on billing account manage
billing account
  1. Click on add principal
add principal
  1. Add your service account id with the billing account user role
principal role

Actions #

You can expand all tables to see the last modification made (Created ByLast ModifiedLast Modified By).

cc

make default Make default – choose credentials which will be then filled during project creation, lighter color indicates selected credentials

edit Update Cloud Credentials – change the credentials which are not locked

pie charts Navigate to OpenStack/Azure Quota Charts – Preview the quotas from your cloud

  • you can also filter Azure usage quotas by CPUstoragegallery, or general
pie

lock/unlock Lock/Unlock credentials – if you lock the credentials, you can’t use them for new Projects, edit or delete them

delete Delete – delete empty and unlocked credentials

Was this article helpful?