The "Use Connector's Pre-configured Credentials" Option
For customers running their site in Amazon Web Services (AWS) or Microsoft Azure, Flywheel offers a unique way of authenticating to cloud storage that uses pre-configured service account roles instead of Access Keys.
The technologies involved include:
Purpose
Benefits
Using pre-configured credentials improves overall security and reduces maintenance burden by eliminating the need for the person configuring a new External Storage registration within Flywheel to know, secure, or share secret credentials.
Instead, the Flywheel site itself is able to negotiate with AWS directly to obtain the access tokens required for authorizing interactions with the cloud storage bucket.
To put it another way, when using IAM Roles, the process of getting the Flywheel services the proper credentials for accessing the cloud storage bucket is handled entirely in the backend — no sensitive information needs to be provided through the frontend at all.
Limitations
You may be able to use this features immediately if:
- Your Flywheel site is hosted in either AWS or Azure, and
- Your cloud storage bucket is located in the same cloud account/subscription as your Flywheel site.
Otherwise, if your cloud storage bucket is located in a different cloud account/subscription from your Flywheel site, you may need assistance from Flywheel Support.
AWS and Azure only
This feature is not available if your Flywheel site is hosted outside of AWS or Azure.
How to Use It
It's possible you do not need to do anything special in order to use the "pre-configured credentials" feature -- simply enable the "Use connector's pre-configured credentials" option when configuring the storage provider in Flywheel.
This is because the default access policy generated by Flywheel's Infrastructure-as-Code (IaC) grants access to all cloud storage buckets in the same account/subscription.
However, if you have a different access control model or if the cloud storage bucket is located in a different AWS account, then it may be necessary for your Cloud Administrator to perform additional configuration. If this is the case, contact Flywheel support.
How it Works
When a new Flywheel tenant is deployed, Flywheel's infrastructure-as-code (IaC) generates a few new resources.
When an External Storage registration is created in Flywheel for an cloud storage bucket with the "Use connector's pre-configured credentials" option enabled, Flywheel's services assume the pre-configured role and negotiate with the cloud provider to obtain short-lived access keys which authorize calls to the specified bucket.
If you experience issues using the pre-configured credentials feature, then it is best to contact Flywheel Support for assistance.
AWS
For AWS, an Service Account is created for the Flywheel Services and assigned an IAM Role associated with an Access Policy that grants sufficient permissions for managing data in S3.
IAM Role
In AWS, every IAM Role is identified by an "Amazon Resource Name" (ARN).The ARN for the IAM Role generated by Flywheel's IaC in this case contains the site name and the phrase export-role
.
Access Policy
An Access Policy (see AWS Access Policy), is also generated by Flywheel's IaC and attached to this IAM Role. The Access Policy grants the IAM role the required permissions for managing data in S3.
Service Account
Each process that needs to interact with AWS resources needs to be represented by an AWS Service Account.Flywheel's IaC generates a Service Account and assigns this service account to the relevant Flywheel services.
Additionally, Flywheel's IaC grants this service account the ability to assume the IAM Role (described in the IAM Role section of this document).
Since an Access Policy granting the certain S3 bucket permissions is attached to the IAM Role, this Service Account inherits those same permissions when it assumes the IAM Role.
Azure
An Azure Manged Identity is created for the Flywheel services. The managed identity is assigned the Storage Blob Data Contributor RBAC Role, which grants the required permissions for managing data in Blob Storage.