Conversation
Files changed:
|
Diagram Anchor Check: PassedAll |
✅ Deploy Preview for cockroachdb-interactivetutorials-docs canceled.
|
✅ Deploy Preview for cockroachdb-api-docs canceled.
|
✅ Netlify Preview
To edit notification comments on pull requests, go to your Netlify project configuration. |
jhlodin
changed the title
nicholas-tao
left a comment
nicholas-tao
left a comment
There was a problem hiding this comment.
Console UI docs LGTM. Let me know when these docs go live, as we'll want to update the docs links in the Console UI. They currently point to /byoc-deployment but I think we'll want to point to CSP-specific pages
@nicholas-tao I have a redirect in place that'll point existing links to |
@jhlodin Makes sense, thanks for the context! |
|
|
||
| Cockroach Labs uses an intermediate **IAM role** to provision and manage resources in your AWS account. In this step, use your CockroachDB {{ site.data.products.cloud }} organization label to determine the **Amazon Resource Name (ARN)** of this IAM role. | ||
|
|
||
| Find your org label in the CockroachDB {{ site.data.products.cloud }} Console or by using the `/v1/organization` endpoint of the [CockroachDB {{ site.data.products.cloud }} API](https://www.cockroachlabs.com/docs/api/cloud/v1.html#get-/api/v1/organization) with a `GET` request similar to the following example: |
There was a problem hiding this comment.
Find your org label
I don't think we should rely on the structure of this IAM string. The template you show below is how it will look today but I think we should encourage them to just get the entire IAM identifier string from the API response in case we change the format later.
There was a problem hiding this comment.
Reworked this step to have the reader collect the ARN with the cloud API. Which also means I needed to make the cloud API setup prerequisite non-optional for AWS.
If we think users will bristle at being told they need to use the API just for this step, we should surface the ARN in the Console somewhere for easy reference.
| - The project ID **must not** begin with the reserved prefix `crl-`. | ||
| - [Enable](https://docs.cloud.google.com/endpoints/docs/openapi/enable-api) the Service Usage API and the Cloud Resource Manager APIs for this project. Cockroach Labs will enable additional APIs as needed, but these two must be initialized first. | ||
|
|
||
| ## Step 2. Configure an intermediate service account for Cockroach Labs |
There was a problem hiding this comment.
We're missing the lookup of the CRL-owned GCP intermediate service account, similar to the IAM user in AWS. They should look it up using the public API method just like for AWS, and grant two roles on it.
There was a problem hiding this comment.
Added a step similar to what I wrote for AWS.
What's the difference from a user's perspective between the CRL-owned intermediate service account and the customer-created intermediate service account? Should be able to say, at a high level, why they're creating each one and giving them their respective roles (but not in so much depth that the customer gets the idea to exclude some roles)
kannanlakshmi
left a comment
kannanlakshmi
left a comment
There was a problem hiding this comment.
Thanks Joe -- I left somewhat minor comments. I did not carefully review the actual account roles and set up, Ryan or Bill are better suited for that. Thanks!
bsanchez-the-roach
left a comment
bsanchez-the-roach
left a comment
There was a problem hiding this comment.
lots of nits with some more substantive comments
jhlodin
force-pushed
the
jl/doc-15891
branch
2 times, most recently
from
ab9cde7 to
d25712d
Compare
bsanchez-the-roach
left a comment
bsanchez-the-roach
left a comment
There was a problem hiding this comment.
a few more comments
| 1. Click **Create cluster**. | ||
| 1. Under **Select a plan**, click **{{ site.data.products.advanced }}**. | ||
| 1. Under **Cloud & Regions**, click **Bring Your Own Cloud** and select Google Cloud. | ||
| 1. Under **Cloud account**, click **Select your cloud account > Add new cloud account**. Enter the service account email associated with the intermediate service account you created, *not* the email address of the Cockroach Labs service account. |
There was a problem hiding this comment.
| 1. Under **Cloud account**, click **Select your cloud account > Add new cloud account**. Enter the service account email associated with the intermediate service account you created, *not* the email address of the Cockroach Labs service account. | |
| 1. Under **Cloud account**, click **Select your cloud account > Add new cloud account**. Enter the service account email associated with the intermediate service account you created, **not** the email address of the Cockroach Labs service account. |
Bold for emphasis, italics for introducing a new phrase, I believe?
There was a problem hiding this comment.
Not currently in the style guide, and because we're already using bold in this line to describe UI elements I don't want to overload bold usage.
|
|
||
| Cockroach Labs uses cross-account service account impersonation to provision and manage resources in your GCP project. This requires two GCP service accounts: | ||
|
|
||
| - A service account owned by Cockroach Labs which must be granted roles to view and access service accounts in your GCP project. |
There was a problem hiding this comment.
Could maybe link to this, to help clarify the difference: https://www.cockroachlabs.com/docs/cockroachcloud/managing-access.html#manage-service-accounts
There was a problem hiding this comment.
Both of these are GCP service accounts, neither is a CRDB service account. The This requires two GCP service accounts line is my attempt at clarifying that, I'm not sure what more I can do
|
|
||
| Send a `POST` request to the the `/v1/clusters` endpoint to [create a CockroachDB {{ site.data.products.cloud }} {{ site.data.products.advanced }} cluster]({% link cockroachcloud/cloud-api.md %}#create-an-advanced-cluster). | ||
|
|
||
| The following example request creates a 3-node {{ site.data.products.advanced }} cluster in the `us-east1` region, specifying the `service_account_email` associated with the intermediate service account you created: |
There was a problem hiding this comment.
I'd repeat that same clarification here. I'd also maybe avoid using the service_account_email string in this bit of text, as I so associate it with the snippet from Step 2 that I immediately associate it with the CRL service account email address.
There was a problem hiding this comment.
We do need to call out the field by name, but reworded to clarify
| { | ||
| "cockroach_cloud_service_principals": { | ||
| "gcp": { | ||
| "service_account_email": "example@email.com" |
There was a problem hiding this comment.
I don't think that this email address actually gets used, does it? If it's not, I might just remove this bit entirely, as then you won't have to worry about differentiating between the two email addresses later.
There was a problem hiding this comment.
As discussed offline, it does - it's the service account that you grant the token creator/view service accounts roles later in this step
|
|
||
| ## Step 1. Create a new AWS account | ||
|
|
||
| Provision a new AWS account with no existing infrastructure, dedicated to your CockroachDB {{ site.data.products.cloud }} deployment. The account configuration for BYOC requires you to grant Cockroach Labs permissions to access and modify resources in this account, so this step is necessary to isolate these permissions from non-CockroachDB Cloud resources. This account can be reused for multiple CockroachDB clusters. |
There was a problem hiding this comment.
This account can be reused for multiple CockroachDB clusters.
Can we leave this out for now until we fully release this functionality.
Co-authored-by: bsanchez-the-roach <brandon.sanchez@cockroachlabs.com>
|
Thank you! LGTM! |
6 participants
Prepare BYOC documentation for public preview
https://cockroachlabs.atlassian.net/browse/DOC-15891
https://cockroachlabs.atlassian.net/browse/DOC-15892
https://cockroachlabs.atlassian.net/browse/DOC-15645