Set up a cloud provider account connection (or credential), to enable you to perform actions in your cloud provider account through VMware Tanzu Mission Control, such as data protection backups or creating Tanzu Kubernetes clusters.

To create backups or new clusters using Tanzu Mission Control, you must first connect a cloud provider account. There are two kinds of cloud provider account connections, or credentials, that enable distinct sets of functionality:
  • Lifecycle management - This type of credential enables you to provision new clusters. For more information, see Cluster Lifecycle Management in VMware Tanzu Mission Control Concepts.
  • Data protection - This type of credential enables you to backup and restore cluster data. For more information, see Data Protection in VMware Tanzu Mission Control Concepts.

Although each kind of credential enables unique functionality, the process of setting up the credentials is essentially the same.

Prerequisites

Before you can set up a connection to your cloud provider account, make sure you have access to the account and that you have prepared the account to allow Tanzu Mission Control to create clusters.
  1. Log in to the AWS console.
  2. If you are creating a credential for lifecycle management, use the EC2 service to create an SSH key pair for each region that you plan to use with Tanzu Mission Control.
Note: The SSH key pair is not required to set up the cloud provider account connection. However, Tanzu Mission Control requires an SSH key pair to create clusters. This key pair must exist for every region in which you want to create clusters. If you create a cloud provider account connection and subsequently attempt to use Tanzu Mission Control to create a cluster in a region for which you have not defined a key pair, cluster creation fails. This failure occurs later in the cluster creation process, and appears as though creation is simply stalled or stuck. Therefore, it is best to create the key pair in each region at the time you create the cloud provider account connection.
Also make sure you have the appropriate permissions to make a connection.
  • To create a cloud provider account connection, you must be associated with the organization.credential.admin role.

Procedure

  1. In the Tanzu Mission Control console, click Administration in the left navigation pane.
  2. On the Administration a page, click the Accounts tab, click Create Account Credential, and then select the type of credential to create.
  3. On the Create credential page, provide a name for the credential, click Generate template, and then click Next.
    The name that you enter is the name that appears in the list of connected accounts on the Administration page.
    When you click Generate template, Tanzu Mission Control generates the template and then downloads it.
    Note: Do not reuse a template from a previously created stack. Each time you create a cloud provider account connection, you must download the template and create a new stack, even if you use the same AWS account.
  4. In the AWS console, create a CloudFormation stack using the downloaded template, and when it completes retrieve the ARN.
  5. In the Tanzu Mission Control console, still on the Create credential page, click Next and then paste the role ARN that you copied from the AWS console.
  6. Click Create Credential to create the connection to your cloud provider account.

Results

After you complete this procedure, you have a credential that you can use to perform actions through Tanzu Mission Control that require access to you cloud provider account. You can see your new credential listed on the Administration page in the Tanzu Mission Control console, and can choose that credential when you initiate an action that is dependent on your cloud provider account.