Skip to main content

Run on AWS

Prerequisites

  • EKS cluster with at least 2GB/2CPU allocatable

Overview

The purpose of this doc is to provide a set of instructions to deploy Speakeasy in your own infrastructure. This doc currently assumes Speakeasy is being deployed on EKS. A Terraform module for automated deployment is coming soon !

Deploying on AWS

Create a Speakeasy IAM role

If using CloudSQL or BigQuery, the Speakeasy API Platform uses a service account to interact with these resources in your Google Cloud project. Follow the instructions to attach the appropriate roles to your Google service account if using either of these services. To manage access of this service account in GCP from your AWS account we will

  1. Create an identity pool and provider: Head to Workload Identity Federation under Google Cloud IAM. I gave it a name aws-identity-pool\

    login

Next, adding provider to the pool. Setting provider name as aws and provider id as aws-provider with the AWS account ID for the binding.

login

2. Under Google Cloud IAM, there is Service accounts section. Create a new service account with Workload Identity User role. I gave it a name gcp-aws-identity. Create a new service account and add Workload Identity User ( roles/iam.workloadIdentityUser ) to the account

login

3. Create a new AWS IAM Role with trusted entity as a EKS cluster

4. Create an EKS cluster with the newly created Role

5. Bind AWS Workload Identity with the Role ARN to the GCP service account

Run the following command from Google Cloud Shell or any authenticated environment by replacing GCP_ACCOUNT_ID, AWS_ACCOUNT_ID and GCP_PROJECT with your own.

gcloud iam service-accounts add-iam-policy-binding gcp-aws-identity@[GCP_PROJECT].iam.gserviceaccount.com     --role=roles/iam.workloadIdentityUser     --member="principalSet://iam.googleapis.com/projects/[GCP_ACCOUNT_ID]/locations/global/workloadIdentityPools/aws-identity-pool/attribute.aws_role/arn:aws:sts::[AWS_ACCOUNT_ID]:assumed-role/AWS_GCP_Identity_ROLE" --project [GCP_PROJECT]

And create the credential config

gcloud iam workload-identity-pools create-cred-config \projects/[GCP_ACCOUNT_ID]/locations/global/workloadIdentityPools/aws-identity-pool/providers/aws-provider \--service-account=gcp-aws-identity@[GCP_PROJECT].iam.gserviceaccount.com \--output-file=configoutput.json \--aws

By using the above generated configoutput.json , we can call GCP services from our AWS EKS cluster which has the associated IAM role created above.

Create a K8s Secret from the Service Account Key

You'll need to ensure the Speakeasy API Platform can use your newly created service account via a k8s secret.

Create and download the service account key file:

gcloud iam service-accounts keys create key.json --iam-account=speakeasy-service-account@<YOUR_PROJECT_ID>.iam.gserviceaccount.com

Deploy a k8s secret containing this key file in your desired namespace:

kubectl create secret generic registry-service-account-secret --from-file=service_account.json=key.json

Deploy Speakeasy API Platform

Follow instructions on using speakeasy-k8s to configure the chart values and deploy Speakeasy.