Set up a cloud provider account connection (or credential), to enable you to create Tanzu Kubernetes clusters in your aws-hosted management cluster and manage their entire lifecyle through VMware Tanzu Mission Control.

Tanzu Mission Control hosts a Tanzu Kubernetes Gridmanagement cluster on AWS that you can use to provision workload clusters into your AWS account. No action is required by you to register this management cluster, it is registered with Tanzu Mission Control for your organization.

To create new clusters using Tanzu Mission Control in the aws-hosted management cluster, you must first connect an AWS account by creating a lifecycle credential in a provisioner on the cluster. This topic explains how to create a lifecycle credential. For information about creating a provisioner in your aws-hosted management cluster, see (((xref to 'create a provisioner'))). For more conceptual content, see Cluster Lifecycle Management in VMware Tanzu Mission Control Concepts.

Prerequisites

Before you can set up a connection to your AWS account, make sure you have access to the account and that you have prepared the account to allow Tanzu Mission Control to create clusters.
  1. Log in to the AWS console.
  2. Use the EC2 service to create an SSH key pair for each region that you plan to use with Tanzu Mission Control.
Note: The SSH key pair is not required to establish the cloud provider account connection. However, Tanzu Mission Control requires an SSH key pair to create clusters. This key pair must exist for every region in which you want to create clusters. If you create a cloud provider account connection and subsequently attempt to use Tanzu Mission Control to create a cluster in a region for which you have not defined a key pair, cluster creation fails. This failure occurs later in the cluster creation process, and appears as though creation is simply stalled or stuck. Therefore, it is best to create the key pair in each region at the time you create the cloud provider account connection.
Also make sure you have the appropriate permissions to make a connection.
  • To create a cloud provider account connection, you must be associated with the organization.credential.admin role.

Procedure

  1. In the Tanzu Mission Control console, click Administration in the left navigation pane.
  2. On the Administration a page, click the Management clusters tab, and then click aws-hosted in the list of management clusters.
  3. On the management cluster detail page, click the Accounts tab, and then click Create Account Credential.
  4. On the Create credential page, select the provisioner to use, and provide a name for the credential.
    The name that you enter is the name that appears in the list of connected accounts on the Accounts tab of the management cluster detail page.
  5. Click Generate template, and then click Next.
    When you click Generate template, Tanzu Mission Control generates the template and then downloads it.
    Note: Do not reuse a template from a previously created stack. Each time you create a cloud provider account connection, you must download the template and create a new stack, even if you use the same AWS account.
  6. In the AWS console, create a CloudFormation stack using the downloaded template, and when it completes retrieve the ARN.
  7. In the Tanzu Mission Control console, still on the Create credential page, click Next and then paste the role ARN that you copied from the AWS console.
  8. Click Create Credential to create the connection to your cloud provider account.

Results

After you complete this procedure, you have a credential that you can use to create Tanzu Kubernetes clusters and manage their lifecycle with Tanzu Mission Control. You can see your new credential listed on the Accounts tab of the aws-hosted management cluster detail page in the Tanzu Mission Control console.