|
| 1 | +--- |
| 2 | +title: TiDB Cloud BYOC IAM Configuration |
| 3 | +summary: This document outlines the IAM configuration required for TiDB Cloud BYOC controller access. |
| 4 | +--- |
| 5 | + |
| 6 | +# TiDB Cloud BYOC IAM Configuration |
| 7 | + |
| 8 | +Once the AWS environment is prepared, you must authorize the TiDB Cloud Control Plane to manage resources within your account. This is achieved by executing a bootstrapping script that establishes the necessary IAM Roles based on the Principle of Least Privilege. |
| 9 | + |
| 10 | +## Preparation |
| 11 | + |
| 12 | +Before executing the script, ensure you have the following: |
| 13 | + |
| 14 | +1. **AWS CLI installed:** The CLI must be configured with an Access Key that has permissions to create IAM roles and policies. |
| 15 | +2. **TiDB Cloud account info:** Contact your TiDB Cloud support representative to obtain the **Control Plane Account ID** and **Clinic Account ID**. |
| 16 | + |
| 17 | +## Gather parameters |
| 18 | + |
| 19 | +Use the table below to map the required parameters for the script: |
| 20 | + |
| 21 | +| Parameter | Source | Description | |
| 22 | +| :---- | :---- | :---- | |
| 23 | +| `<ControlPlaneAccountId>` | **TiDB Support** | The AWS Account ID of the TiDB Control Plane. | |
| 24 | +| `<ClinicAccountId>` | **TiDB Support** | The AWS Account ID for the TiDB Clinic service. | |
| 25 | +| `<TidbHostedZoneId>` | [Required information](/tidb-cloud/byoc/byoc-prepare-environment-aws.md#summary-required-information) | The ID of the TiDB Cluster Hosted Zone you created. | |
| 26 | +| `<O11yHostedZoneId>` | [Required information](/tidb-cloud/byoc/byoc-prepare-environment-aws.md#summary-required-information) | The ID of the Observability Hosted Zone you created. | |
| 27 | +| `<TidbPCAArn>` | [Required information](/tidb-cloud/byoc/byoc-prepare-environment-aws.md#summary-required-information) | The ARN of the Private CA you created. | |
| 28 | + |
| 29 | +## Execute bootstrapping script |
| 30 | + |
| 31 | +1. Download the script from the [PingCAP GitHub repository](https://github.com/tidbcloud/byoc-account-setup/tree/main). |
| 32 | + |
| 33 | +2. In your terminal, run the following command. Note to replace the placeholders with your actual values. |
| 34 | + |
| 35 | + ```bash |
| 36 | + sh tidbcloud-byoc-setup.sh \ |
| 37 | + --control-plane-id <ControlPlaneAccountId> \ |
| 38 | + --clinic-id <ClinicAccountId> \ |
| 39 | + --tidb-hz-id <TidbHostedZoneId> \ |
| 40 | + --o11y-hz-id <O11yHostedZoneId> \ |
| 41 | + --pca-arn <TidbPCAArn> |
| 42 | + ``` |
| 43 | + |
| 44 | +3. Monitor the process. Upon execution, the script initiates AWS CloudFormation to provision and update resources. You can observe a log stream in the terminal displaying status messages such as `waiting for changeset to be created` and `successfully created/updated stack`. |
| 45 | + |
| 46 | +<!--To confirm: whether to add image--> |
| 47 | + |
| 48 | +## Verification |
| 49 | + |
| 50 | +After execution, the script will output the ARNs of the created IAM roles. |
| 51 | + |
| 52 | +* **Action required:** Share the **execution result/log** with your TiDB Cloud representative. |
| 53 | + |
| 54 | +* **Next step:** Once TiDB Cloud verifies the roles, the [automated deployment](/tidb-cloud/byoc/byoc-automated-deployment.md) will be triggered. |
0 commit comments