Managing cloud credentials using pxctl
Prerequisites
This document provides instructions for managing your cloud credentials using pxctl
.
The cloud provider credentials are stored in an external secret store. Before you use the commands from below, you should configure a secret provider of your choice with Portworx. For more information, head over to the Key Management page.
Overview
You can use the pxctl credentials
command to create, list, validate, or delete your cloud credentials. Then, Portworx will use these credentials, for example, to back up your volumes to the cloud.
Enter the pxctl credentials --help
command to display the list of subcommands:
/opt/pwx/bin/pxctl credentials --help
Manage credentials for cloud providers
Usage:
pxctl credentials [flags]
pxctl credentials [command]
Aliases:
credentials, cred
Available Commands:
create Create a credential for cloud providers
delete Delete a credential for cloud
list List all credentials for cloud
validate Validate a credential for cloud
Flags:
-h, --help help for credentials
Global Flags:
--ca string path to root certificate for ssl usage
--cert string path to client certificate for ssl usage
--color output with color coding
--config string config file (default is $HOME/.pxctl.yaml)
--context string context name that overrides the current auth context
-j, --json output in json
--key string path to client key for ssl usage
--raw raw CLI output for instrumentation
--ssl ssl enabled for portworx
Use "pxctl credentials [command] --help" for more information about a command.
List credentials
To list all configured credentials, use this command:
pxctl credentials list
S3 Credentials
UUID REGION ENDPOINT ACCESS KEY SSL ENABLED ENCRYPTION
ffffffff-ffff-ffff-1111-ffffffffffff us-east-1 s3.amazonaws.com AAAAAAAAAAAAAAAAAAAA false false
Azure Credentials
UUID ACCOUNT NAME ENCRYPTION
ffffffff-ffff-ffff-ffff-ffffffffffff portworxtest false
Create and configure credentials
You can create and configure credentials in multiple ways depending on your cloud provider and how you want to manage them.
Create credentials on AWS by specifying your keys
--s3-storage-class
flag requires
version 2.5.3 or higher
Enter the pxctl credentials create
command, specifying:
- The
--provider
flag with the name of the cloud provider (s3
). - The
--s3-access-key
flag with your secret access key - The
--s3-secret-key
flag with your access key ID - The
--s3-region
flag with the name of the S3 region (us-east-1
) - The
--s3-endpoint
flag with the name of the endpoint (s3.amazonaws.com
) - The optional
--s3-storage-class
flag with either theSTANDARD
orSTANDARD-IA
value, depending on which storage class you prefer - The name of your cloud credentials
pxctl credentials create \
--provider s3 \
--s3-access-key <YOUR-SECRET-ACCESS-KEY>
--s3-secret-key <YOUR-ACCESS-KEY-ID> \
--s3-region us-east-1 \
--s3-endpoint s3.amazonaws.com \
--s3-storage-class STANDARD \
<NAME>
Credentials created successfully
Create credentials on AWS by storing keys as environment variables
You can create and configure credentials for AWS by storing your secret access key and access key ID as environment variables. When you run the pxctl credentials create
, Portworx uses the environment variables to create the credential:
Create the following environment variables, adding your own access key ID and secret access key, and provide them to the Portworx container through either daemon set parameters or the
runc install
command:AWS_SECRET_ACCESS_KEY=xxx AWS_ACCESS_KEY_ID=yyy
Enter the
pxctl credentials create
command, specifying:- The
--provider
flag with the name of the cloud provider (s3
). - The
--s3-region
flag with the name of the S3 region (us-east-1
) - The
--s3-endpoint
flag with the name of the endpoint (s3.amazonaws.com
) - The optional
--s3-storage-class
flag with either theSTANDARD
orSTANDARD-IA
value, depending on which storage class you prefer - The
use-iam
flag - The name of your cloud credentials
./pxctl credentials create \ --provider s3 \ --s3-region us-east-1 \ --s3-endpoint s3.amazonaws.com \ --s3-storage-class STANDARD \ --use-iam \ <NAME>
Credentials created successfully, UUID:12345678-a901-2bc3-4d56-7890ef1d23ab
–>
- The
Create credentials on AWS using IAM
Instead of storing your secret access key and access key ID on the host, you can grant Portworx bucket permissions using IAM. You can grant the EC2 instances on which Portworx is running, or you can grant permissions for a specific bucket.
Grant IAM permissions for your EC2 instance in general
In AWS, grant IAM permissions for an EC2 instance with no bucket:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject", "s3:ListAllMyBuckets", "s3:CreateBucket", "s3:ListBucket", "s3:DeleteObject", "s3:GetBucketLocation" ], "Resource": "*" } ] }
Enter the following pxctl credentials create command, specifying the following:
- The
--provider
flag with the name of the cloud provider (s3
). - The
--s3-region
flag with the the S3 region associated with your account - The optional
--s3-storage-class
flag with either theSTANDARD
orSTANDARD-IA
value, depending on which storage class you prefer - The
use-iam
flag - The name of your cloud credentials
./pxctl credentials create \ --provider s3 \ --s3-region us-east-1 \ --s3-storage-class STANDARD \ --use-iam \ <NAME>
Credentials created successfully, UUID:12345678-a901-2bc3-4d56-7890ef1d23ab
- The
Grant IAM permissions for a specific bucket
In AWS, grant IAM permissions for a specific bucket:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "s3:ListAllMyBuckets", "s3:GetBucketLocation" ], "Resource": "*" }, { "Sid": "VisualEditor1", "Effect": "Allow", "Action": "s3:*", "Resource": [ "arn:aws:s3:::<bucket-name>", "arn:aws:s3:::<bucket-name>/*" ] } ] }
Enter the following pxctl credentials create command, specifying the following:
- The
--provider
flag with the name of the cloud provider (s3
) - The
--s3-region
flag with your bucket’s s3 region - The optional
--s3-storage-class
flag with either theSTANDARD
orSTANDARD-IA
value, depending on which storage class you prefer - The
--bucket
flag with your bucket’s name - The
use-iam
flag - The name of your cloud credentials
./pxctl credentials create \ --provider s3 \ --s3-region <region> \ --s3-storage-class STANDARD \ --bucket <bucket-name> \ --use-iam \ <NAME>
Credentials created successfully, UUID:12345678-a901-2bc3-4d56-7890ef1d23ab
- The
Delete existing credentials
To delete a particular set of credentials, you can run pxctl credentials delete
with the uuid
or the name
as parameters like this:
pxctl credentials delete <uuid or name>
Credential deleted successfully
<uuid or name>
with the actual uuid
or name
of the credentials you want to delete.
Validate credentials
If you want to validate a set of credentials for a particular cloud provider, run the following:
pxctl credentials validate <uuid or name>
Credential validated successfully
<uuid or name>
with the actual uuid
or name
of the credentials you want to delete.
Related topics
- For information about integrating Portworx with Kubernetes Secrets, refer to the Kubernetes Secrets page.