Cloud Credentials

Objective

This guide provides instructions on how to create cloud API credentials using the guided wizards in F5® Distributed Cloud Console. For more information on Console, please refer to the concepts documentation.

Cloud credentials are used to access services provided by AWS, Azure, and GCP to create, read, update, or delete objects needed to deploy and manage your applications in public cloud environments via F5 Distributed Cloud Services automation.


Prerequisites

Note: In case you do not have an account, see Create an Account.

  • Public cloud account with credentials, tenant definitions and certificates already created.

Note: Refer to the required permissions to create cloud resources in the Cloud Credentials Reference guides. These guides also provide instructions to create the roles and associated service accounts using the cloud formation templates.


Configuration

Perform the steps provided in the following chapters to create cloud credentials for various supported cloud providers.

Add Cloud Credentials

Perform the following steps to start creating cloud credentials object:

Step 1: Navigate to the Cloud Credentials page.
  • Select the Multi-Cloud Network Connect service.
  • Navigate to Manage -> Site Management -> Cloud Credentials.
cloud credentials
Figure Cloud Credentials
Step 2: Start creating cloud credentials.
  • Click Add Cloud Credentials.
  • Enter a name for the credential you are creating.
  • Optionally add labels and a description to this entry.
cloud credentials metadata
Figure: Cloud Credentials Metadata
Step 3: Select cloud credential type.

Select a cloud credential type from the drop-down menu. There are:

  • AWS Programmatic Access Credentials
  • Azure Credential Client Certificate
  • Azure Client Secret for Service Principal
  • GCP Credentials
cred types
Figure: Cloud Credential Types

Configure Credentials

AWS Programmable Access Credentials

Perform the following steps for AWS programmable access credentials:

Note: Temporary security credentials such as credentials generated using AWS STS are not supported.

Step 1: Obtain your access key ID and secret from AWS.

Retrieve your access key id and secret you intend to use for accessing AWS API services from your AWS Management Console IAM Dashboard (AWS IAM Reference).

Step 2: Set the access key and configure secret.
  • Select AWS Programmable Access Credentials for the Select Cloud Credential Type field.

  • Enter the AWS Access Key ID that you retrieved from your AWS account.

cred aws
Figure: Secret AWS Access Key entry
  • Configure Secret Access Key by clicking on the Configure link below where you entered the Access Key ID.
cred aws configure
Figure: Configure AWS Access Key
  • Secret information can be one of two types via drop-down.

    • Blindfold Secret: Used for secrets managed by Distributed Cloud Secret Management Service (Recommended as this service provides a high level of security).
    • Clear Secret: Used for secrets that are not encrypted.
  • Policy information can be one of two types via drop-down

    • Built-in: Provides a list of Distributed Cloud Services provided set of generic policies.
    • Custom: Provides a list of user defined policies which have been defined under Manage → Secrets.
  • Enter or paste the text or blindfold value of the AWS Secret Key.

cred aws secret
Figure: Secret Access Key entry result after entering text
  • For a text secret, click on the Blindfold button to generate the blindfold key based on the AWS Secret Key. To see the result shown in the image below, click Edit after the Blindfold process is complete.
cred aws blindfold
Figure: Secret Access Key entry result after entering text and clicking on Blindfold (Click on Edit link to see this result)
  • Once the key has been generated or entered, click Apply and then click Save and Exit button to exit the wizard and save your AWS credentials for use with Distributed Cloud Services.

AWS Assume Role

Perform the following steps for configuring AWS Assume Role:

Step 1: Obtain the assume role details.

Create an AWS assume role as described in the AWS Assume Role and obtain the role_arn value.

Step 2: Configure assume role details in the Console.
  • Select AWS Assume Role for the Select Cloud Credential Type field.
  • Enter ARN value in the IAM Role ARN field. Use the value obtained in the previous step.
  • Enter a name in the Role Session Name field.
Step 3: Optionally, configure advanced settings.
  • Enable Show Advanced Fields.
  • Set a session duration value in seconds in the Role Session Duration Seconds field. This will limit the role session to the set duration of time.

Note: The session duration value should be less than or equal to the maximum session duration configured in AWS console.

  • Click on the Role Session Tags field and add labels as per your need.
Step 4: Complete creating the cloud credentials.

Click Save and Exit to complete creating the cloud credentials of type AWS Assume Role.

Azure Credential Client Certificate

Perform the following steps for configuring Azure Credential Client Certificate for Service Principal:

Step 1: Obtain the authentication details from Azure.

Retrieve your Client ID, Subscription ID, Tenant ID, Certificate and Certificate Password you intend to use for accessing Azure API services from your Azure Portal (Azure Key Vault Reference) (Azure Key Vault Quick Start).

Step 2: Enter the identities and configure secret.
  • Select Azure Credential Client Certificate for the Select Cloud Credential Type field.

  • Enter the Azure Client ID, Subscription ID and Tenant ID that you retrieved from your Azure account.

  • Enter your Client Certificate in the following format:

    string:///<base64 encoded string of the certificate>

cred azure entries
Figure: Entries for Azure Client Secret
  • Click on the Configure link to enter the Certificate Password you retrieved from the Azure Portal and enter in the same manner as was done for the AWS Access Secret Key in the AWS Programmable Access Credentials chapter using either the Clear Secret or Blindfold Secret options.

  • Click Apply and then click Save and Exit.

Azure Client Secret for Service Principal Credentials

Perform the following steps to configure Azure client secret for service principal credentials:

Step 1: Obtain the authentication details from Azure.
Step 2: Enter the identities and configure secret.
  • Select Azure Client Secret for Service Principal Credentials for the Select Cloud Credential Type field.

  • Enter the Azure Client ID, Subscription ID and Tenant ID that you retrieved from your Azure account.

cred azure entries2
Figure: Entries for Azure Client Secret
  • Click on the Configure link to enter the Secret Key you retrieved from the Azure Portal and enter in the same manner as was done for the AWS Secret Key in the AWS Programmable Access Credentials chapter using either the Clear Secret or Blindfold Secret options.

  • Click Apply and then click Save and Exit to complete creating Azure credentials.

GCP Credentials

Perform the following steps to configure GCP credentials:

Step 1: Obtain the authentication details from GCP.
Step 2: Configure the secret with the service account key.
  • Select GCP Credentials for the Select Cloud Credential Type field. Click Configure.
cred gcp
Figure: GCP Credentials
  • Enter the service account Key you retrieved from the GCP and enter in the same manner as was done for the AWS Secret Key in the AWS Programmable Access Credentials chapter using either the Clear Secret or Blindfold Secret options.

  • Click Apply and then click Save and Exit to complete creating GCP cloud credentials.


Concepts


References