Amazon Web Services
This guide will walk you through deploying D1 Storage or D1 Generic, using K1 for key management, to Amazon Elastic Kubernetes Service with Amazon S3, AWS Key Management Service, and Amazon Cognito.
To follow this guide, you will need to create an AWS account as well as set up the aws CLI
tool and eksctl CLI tool.
Amazon S3
In order to provision a basic storage bucket follow this
guide or run the
following aws command:
aws s3 mb s3://d1-bucket
Create an access key for the bucket as described here.
AWS KMS
You will need to provision an encryption Key. The process is described below:
- Go to Key Management Service and choose the region closest to your location.
- Create a symmetric key. The
KEY_SPECshould beSYMMETRIC_DEFAULT. Save the key ID or ARN. - Create an IAM policy. Choose the KMS service and the actions Encrypt, Decrypt, GenerateRandom from the Write access level. Add the key's details to restrict access to a single key.
- Create an IAM user. Choose "Access key - Programmatic access" as the AWS access type. Attach existing policies directly, and choose the newly created policy. Save the credentials.
Amazon Cognito
You will need to create a Cognito user pool as awell as an OIDC client. The process is described here. Alternatively, you can perform the following steps. Frist, create a new AWS Cognito user pool:
aws cognito-idp create-user-pool --pool-name d1-aws-sandbox
Next, create a client:
aws cognito-idp create-user-pool-client --client-name d1-cognito --supported-identity-providers COGNITO --allowed-o-auth-flows "code" --allowed-o-auth-scopes "email" "profile" "openid" --allowed-o-auth-flows-user-pool-client --callback-urls <list of callback URLs> --user-pool-id <user pool ID>
Save the client ID for later user. Finally, create a user pool domain:
aws cognito-idp create-user-pool-domain --domain "d1-cognito" --user-pool-id <user pool ID>
Amazon Elastic Kubernetes Service
Provision an EKS cluster as described here or by using the following eksctl command:
eksctl create cluster --name d1-cluster --nodes 2 --node-type t3.large
Deployment
You first need to deploy K1 using our Helm chart. You will need to configure the Helm chart as shown below with the information obtained in the previous steps:
# File: values.yaml
k1:
endpoint: k1.default.svc.cluster.local
keyprovider:
provider: awsKMS
awsKMS:
region: <Region>
keyid: <Encryption key ID>
accessKeyId: <IAM Key ID>
secretAccessKey: <IAM Access Key>
postgresql:
auth:
database: "k1"
username: "k1"
password: <fill in a secure password>
You can then deploy K1:
helm install k1 oci://ghcr.io/cybercryptio/helm-charts/k1 --version 0.2.0 --values values.yaml
Once the deployment is succesful, create a new Key Set and get the Key Initialization Key:
export KS_ID=$(kubectl exec -it deployments/k1 -- /k1 newKeySet 2> /dev/null | tail -n 3 | jq -r ".KsID")
kubectl exec -it deployments/k1 -- /k1 newKik --ksid=$KS_ID
You are now ready to deploy D1 Storage or D1 Generic using our Helm charts. You will need to configure the Helm chart as shown below with the information obtained in the previous steps:
config:
keys:
provider: "k1"
k1:
endpoint: "k1.default.svc.cluster.local:50051"
kik: <Key Initialization Key>
kikId: <Key Initialization Key ID>
io:
provider: "s3"
s3:
address: "https://s3.<region>.amazonaws.com"
id: <S3 Key ID>
key: <S3 Key>
bucket: "d1-bucket"
region: <region>
id:
provider: "oidc"
oidc:
issuer: "https://cognito-idp.<region>.amazonaws.com/<user pool ID>"
clientid: <OIDC client ID>
signingalg: "RS256"
claimtranslation: <You desired claim translation>
You can then deploy D1 Storage or D1 Generic:
helm install d1 oci://ghcr.io/cybercryptio/helm-charts/d1-service-storage --version 0.3.10 --values values.yaml
# OR
helm install d1 oci://ghcr.io/cybercryptio/helm-charts/d1-service-generic --version 0.3.10 --values values.yaml