-
Notifications
You must be signed in to change notification settings - Fork 68
/
aws-configure-users.html.md.erb
107 lines (71 loc) · 5.35 KB
/
aws-configure-users.html.md.erb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
---
title: Setting Up Tanzu Kubernetes Grid Integrated Edition Admin Users on AWS
owner: TKGI
iaas: AWS
---
This topic describes how to create VMware Tanzu Kubernetes Grid Integrated Edition (TKGI) admin users with User Account and Authentication (UAA).
## <a id='overview'></a> Overview
UAA is the identity management service for TKGI.
You must use UAA to create an admin user during your initial set up of TKGI.
TKGI includes a UAA server, hosted on the TKGI API VM.
Use the UAA Command Line Interface (UAAC) from the VMware Tanzu Operations Manager (Ops Manager) VM to interact with the TKGI UAA server.
You can also install UAAC on a workstation and run UAAC commands from there.
## <a id='prerequisites'></a> Prerequisites
Before setting up admin users for Tanzu Kubernetes Grid Integrated Edition, you must have one of the following:
* SSH access to the Ops Manager VM
* A machine that can connect to your TKGI API VM
## <a id='connect'></a>Step 1: Connect to the TKGI API VM
You can connect to the TKGI API VM from the Ops Manager VM or from a different machine such as your local workstation.
### <a name='ssh-aws'></a>Option 1: Connect through the Ops Manager VM
You can connect to the TKGI API VM by logging in to the Ops Manager VM through SSH.
To SSH into the Ops Manager VM on AWS, do the following:
1. Retrieve the key pair you used when you
created the Ops Manager VM. To see the name of the key pair:
1. In the AWS console, click the Ops Manager VM
1. Locate the `key pair name` in the properties.
1. On the AWS **EC2 instances** page, locate the Ops Manager FQDN.
1. Change the permissions on the `.pem` file to be more restrictive by running the `chmod 600` command. For example:
```console
$ chmod 600 ops_mgr.pem
```
1. SSH into the Ops Manager VM by running the following command:
```
ssh -i ops_mgr.pem ubuntu@OPS-MANAGER-FQDN
```
Where `OPS-MANAGER-FQDN` is the FQDN of Ops Manager. For example:
```console
$ ssh -i ops_mgr.pem ubuntu@my-opsmanager-fqdn.example.com
```
1. Proceed to the [Log In as a UAA Admin](#uaa-admin-login) section to manage users with UAAC.
### <a name='local-workstation'></a>Option 2: Connect through a Non-Ops Manager Machine
To connect to the TKGI API VM and run UAA commands, do the following:
1. Install UAAC on your machine. For example:
```
gem install cf-uaac
```
1. Download a copy of your Ops Manager root CA certificate to the machine. To download the certificate, do the following:
1. In a web browser, navigate to the FQDN of Ops Manager and log in.
1. In Ops Manager, navigate to **Settings** in the drop-down menu under your user name.
1. Click **Advanced Options**.
1. On the **Advanced Options** configuration page, click **Download Root CA Cert**.
1. Move the certificate to a secure location on your machine and record the path.
1. Proceed to the [Log In as a UAA Admin](#uaa-admin-login) section to create admin users with UAAC.
##<a id='uaa-admin-login'></a>Step 2: Log In as a UAA Admin
<%= partial 'uaa-admin-login' %>
##<a id='tkgi-access'></a>Step 3: Assign Tanzu Kubernetes Grid Integrated Edition Cluster Scopes
The `pks.clusters.manage` and `pks.clusters.admin` UAA scopes grant users the ability
to create and manage Kubernetes clusters in Tanzu Kubernetes Grid Integrated Edition.
For information about UAA scopes in Tanzu Kubernetes Grid Integrated Edition, see
[UAA Scopes for Tanzu Kubernetes Grid Integrated Edition Users](uaa-scopes.html).
To create Tanzu Kubernetes Grid Integrated Edition users with the `pks.clusters.manage` or `pks.clusters.admin` UAA scope,
perform one or more of the following procedures based on the needs of your deployment:
* To assign TKGI cluster scopes to an individual user, see
[Grant Tanzu Kubernetes Grid Integrated Edition Access to an Individual User](manage-users.html#uaa-user).
Follow this procedure if you selected **Internal UAA** when you configured **UAA** in the Tanzu Kubernetes Grid Integrated Edition tile. For more information, see [Installing Tanzu Kubernetes Grid Integrated Edition on AWS](installing-aws.html#uaa).
* To assign TKGI cluster scopes to an LDAP group, see [Grant Tanzu Kubernetes Grid Integrated Edition Access to an External LDAP Group](manage-users.html#external-group). Follow this procedure if you selected **LDAP Server** when you configured **UAA** in the Tanzu Kubernetes Grid Integrated Edition tile. For more information, see [Installing Tanzu Kubernetes Grid Integrated Edition TKGI on AWS](installing-aws.html#uaa).
* To assign TKGI cluster scopes to a SAML group, see [Grant Tanzu Kubernetes Grid Integrated Edition Access to an External SAML Group](manage-users.html#saml). Follow this procedure if you selected **SAML Identity Provider** when you configured **UAA** in the Tanzu Kubernetes Grid Integrated Edition tile. For more information, see [Installing Tanzu Kubernetes Grid Integrated Edition TKGI on AWS](installing-aws.html#uaa).
* To assign TKGI cluster scopes to a client, see [Grant Tanzu Kubernetes Grid Integrated Edition Access to a Client](manage-users.html#uaa-client).
##<a id="next-steps"></a> Next Step
After you create admin users in Tanzu Kubernetes Grid Integrated Edition, the admin users can create and manage
Kubernetes clusters in Tanzu Kubernetes Grid Integrated Edition.
For more information, see [Managing Kubernetes Clusters and Workloads](managing-clusters.html).