Using the Tanzu Service Mesh CLI, you can create an account to integrate with Amazon Route 53 in Amazon Web Services (AWS). An AWS integration account adds DNS and global server load balancing (GSLB) functionality to Tanzu Service Mesh.

To create an AWS integration account with the Tanzu CLI, you must describe the configuration of the account in a YAML file and then apply the configuration file. The account will be added to your tenant in Tanzu Service Mesh.

To create an integration account configuration file, you can get the API specification for an integration account in YAML format from Tanzu Service Mesh, create a YAML file based on the specification, and provide your configuration values in the file. You can then apply the account configuration file.

For more information about AWS integration accounts in Tanzu Service Mesh, see Create an AWS Integration Account.

Note:

Applying the integration account configuration file returns an integration account name. You must provide an integration account name when you create an external DNS account with the CLI.

Prerequisites

  • Know the access key ID and the associated secret access key of your AWS account.

  • Verify that your AWS account has the following permissions:

    • List access for hosted zones associated with the AWS account.

    • Write and list access for records within a hosted zone.

    • Read, write, and list access for health checks.

    • Tagging and list access for tags for health checks and hosted zones.

  • Verify that you are familiar with the Kubernetes YAML manifest format.

  • Install the CLI.

  • Log in to the Tanzu Service Mesh CLI.

Procedure

  1. Retrieve the API specification for an integration account: 
    tanzu sm get spec externalaccount
  2. Create a YAML file for the integration account configuration and paste the API specification into the file.
  3. Provide the following values in the file.

    Field

    Description

    name (under name and spec)

    Provide a name to identify this integration account.

    Important:

    Make sure that you specify the same name under name and spec.

    description

    An optional description of the account. If you don't want to provide a description, remove this field.

    auth_secret (under authentication)

    The secret to use for authentication. This field is not used for an AWS integration account. Remove this field.

    auth_password (under authentication)

    Provide details to enable token-based authentication with AWS:

    • access_key. Your AWS access key ID.

    • secret_access_key. The secret access key associated with your access key ID.

    • session_token. The token to validate temporary security credentials that are used in programmatic requests for AWS resources. Set this field to an empty string (“”).

    authentication_type

    Type of authentication to use for authentication with the external provider (AWS). Set this field to TOKEN.

    certificate_id

    The ID of the certificate that is used to trust a self-signed certificate. This field is used in the configuration of an Avi integration account and is not used for an AWS integration account. Set the field to an empty string (“”).

    provider

    Identifies the external provider to integrate with. Set this field to AWS.

    provider_url

    The URL of the external provider’s API endpoint. This field is not used for the configuration of an AWS integration account. Set this field to PROVIDERURL.
    See an example of a configuration file for an AWS integration account in the Example: A configuration YAML file for an AWS integration account section.
  4. Apply the resulting integration account configuration YAML file: 
    tanzu sm apply -f {file-name.yaml}

    The output contains a message that the specified integration account was created.

Example: A configuration YAML file for an AWS integration account

apiVersion: externalaccounts.tsm.vmware.com/v1
kind: ExternalAccount
metadata:
  name: sample-aws-account
spec:
  name: sample-aws-account
  description: ""
  provider: AWS
  provider_url: "PROVIDERURL"
  authentication_type: "TOKEN"
  authentication:
    auth_token:
      access_key: "AKIAUEMMQ4CWGDKQEXAMPLE”
      secret_access_key: "wJalrXUrmFIGLY/L9ENGKS/fIxRfibpICEXAMPLEKEY" 
      session_token: ""
  insecure: false
  certificate_id: ""

What to do next

The new integration account is added to the Admin area of the Tanzu Service Mesh Console. To view the details of the new account, perform these steps:

  1. Access the Tanzu Service Mesh Console.

  2. In the navigation pane on the left, click Admin > Integrations.

  3. On the System Integrations tab, on the AWS card, click View Details.

  4. On the integration account details page, find the account that you created and click Edit Configuration.