Platform access

You can find "Platform access" in the top "Security" menu, when a project is selected.

This is where you'll store all your accesses to your cloud platforms. These secrets can then be used to create your environments. Your secrets are securely stored within LayerOps.

One of the special characteristics of LayerOps is that we use your cloud platform accounts directly. LayerOps doesn't charge for resource usage; you get the real price of your consumption directly from your cloud providers.

It is recommended to create a dedicated LayerOps user to manage rights and access, and track actions performed by LayerOps on your cloud provider.

platform-access

3DS Outscale

To generate access keys, please follow the official documentation on 3DS outscale documentation.
Once you have Access Key ID and Secret Key, you can create your platform access secret.

AWS

Follow this documentation to create a new user on your AWS account and next create a dedicated policy for this user.

When creating a new user, you can uncheck the option Provide user access to the AWS Management Console

Here's the recommended policy to assign to the new user on AWS:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ec2:DescribeAccountAttributes",
        "iam:GetUser"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "ec2:DescribeAddresses",
        "ec2:DescribeAddressesAttribute",
        "ec2:DescribeImages",
        "ec2:DescribeInstanceAttribute",
        "ec2:DescribeInstanceCreditSpecifications",
        "ec2:DescribeInstances",
        "ec2:DescribeInternetGateways",
        "ec2:DescribeKeyPairs",
        "ec2:DescribeLaunchTemplates",
        "ec2:DescribeNatGateways",
        "ec2:DescribeNetworkInterfaces",
        "ec2:DescribeRouteTables",
        "ec2:DescribeSecurityGroupRules",
        "ec2:DescribeSecurityGroups",
        "ec2:DescribeSubnets",
        "ec2:DescribeTags",
        "ec2:DescribeVolumes",
        "ec2:DescribeVpcAttribute",
        "ec2:DescribeVpcs"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "ec2:AllocateAddress",
        "ec2:AssignPrivateNatGatewayAddress",
        "ec2:AssociateNatGatewayAddress",
        "ec2:AssociateRouteTable",
        "ec2:AttachInternetGateway",
        "ec2:AttachVolume",
        "ec2:AuthorizeSecurityGroupEgress",
        "ec2:AuthorizeSecurityGroupIngress",
        "ec2:CopyImage",
        "ec2:CreateInternetGateway",
        "ec2:CreateKeyPair",
        "ec2:CreateNatGateway",
        "ec2:CreateRoute",
        "ec2:CreateRouteTable",
        "ec2:CreateSecurityGroup",
        "ec2:CreateSubnet",
        "ec2:CreateTags",
        "ec2:CreateVolume",
        "ec2:CreateVpc",
        "ec2:RunInstances",
        "ec2:StartInstances"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "ec2:DeleteInternetGateway",
        "ec2:DeleteKeyPair",
        "ec2:DeleteNatGateway",
        "ec2:DeleteRoute",
        "ec2:DeleteRouteTable",
        "ec2:DeleteSecurityGroup",
        "ec2:DeleteSubnet",
        "ec2:DeleteTags",
        "ec2:DeleteVolume",
        "ec2:DeleteVpc",
        "ec2:DeregisterImage",
        "ec2:DisassociateNatGatewayAddress",
        "ec2:DisassociateRouteTable",
        "ec2:DetachInternetGateway",
        "ec2:DetachVolume",
        "ec2:ImportKeyPair",
        "ec2:ModifyVpcAttribute",
        "ec2:ReleaseAddress",
        "ec2:RevokeSecurityGroupEgress",
        "ec2:RevokeSecurityGroupIngress",
        "ec2:StopInstances",
        "ec2:TerminateInstances",
        "ec2:UnassignPrivateNatGatewayAddress"
      ],
      "Resource": "*",
      "Condition": {
        "StringEqualsIfExists": {
          "ec2:ResourceTag/CreatedBy": "user"
        }
      }
    }
  ]
}

To generate access keys for your new layerops user, please follow the official documentation on AWS documentation.

Once you have Access Key ID and Secret Key, you can create your platform access secret.

Azure

Get your Subscription ID

Navigate to your Azure portal, on subscrition page

You will find on this page all subscriptions activated on your account. Select once you want to use and note the Subscription ID

Create an application in Azure Active Directory

Navigate to Microsoft Entra portal

  • select in bar menu Applications
  • select the App Registration
  • Click the New registration button at the top to add a new Application, and specify
  • Name - this is a friendly identifier and can be anything (e.g. "LayerOps-Creds")
  • Supported Account Types - this should be set to "Accounts in this organizational directory only (single-tenant)"
  • Redirect URI - Value can be left blank

To retrieve Application informations, navigate to this Microsoft AAD IAM Section

  • Click on on the Applicate named in previous step

You'll need to take note of the "Application (client) ID" and the "Directory (tenant) ID", which you can use for the values of

  • Application (client) ID
  • Tenant ID respectively.

Generating a Client Secret

  • select Certificates & secrets
  • generate a new Client Secret
  • enter a description
  • selecting an Expiry Date
  • click on Add

Granting the Application access

Navigate to your Azure Subscription Blade

  • select the subscription
  • click Access Control (IAM)
  • Add > Add role assignment.
  • specify a Role which grants the appropriate permissions needed (ex: Contributor will grant Read/Write on all resources in the Subscription)

Google Cloud Platform

Follow this documentation to create a service account and get your credentials as JSON file.
To let LayerOps create and manage GCP resources, select the role Compute Admin.

Once you have retrieved the JSON file, you can create your platform access secret and upload this file.

Monaco Cloud

OVH Cloud

Scaleway

Table of Contents