Knowledge Base Home

Provisioning a Node with AWS Integrations

AWS Prerequisites

  • Refer to the KMS blog post and the instructions here for details on creating an AWS user with access to a master encryption key.  Refer to the Generating an Encryption Key video tutorial for an interactive walkthrough on generating the master secret key in AWS.
  • Refer to the instructions here for details on creating a custom Cloudwatch Logs policy and a Cloudwatch Logging Group.  Refer to the Setting up Cloudwatch Logging Permissions video tutorial for an interactive walkthrough on applying a custom policy to an IAM user.
  • Refer to the instructions here for details on creating a PrivateLink endpoint for Kaleido. Note that the PrivateLink endpoint is NOT a prerequisite for enabling a private ingress on the node. The endpoint can be generated post node creation.  Refer to the Generating a PrivateLink Endpoint video tutorial for an interactive walkthrough on provisioning the Kaleido interface in your VPC.
  • Refer to the instructions here for details on provisioning an S3 Bucket and applying a custom policy to an IAM user.  Refer to the Configuring an S3 Bucket video tutorial for an interactive walkthrough on creating the bucket and applying the custom policy.

API Mechanics

  • Refer to the Understanding the Kaleido API documentation for instructions on creating and enabling configurations via the Kaleido API. Note that if you elect to use the raw API, you must first create the relevant configuration object(s) and ascertain the relevant configuration ID(s).  One or more IDs can then be passed as a parameter in the body of the node creation call.  For example, to create a node with KMS and Log Streams enabled you would issue a call similar to this:

curl -X POST -d '{"membership_id":"abcde12345", "name":"BANK A Node", "kms_id":"xyz123fghi", "opsmetric_id":"def456jklm"}' -H "$HDR_AUTH" -H "$HDR_CT" "$APIURL/consortia/{consortia_id}/environments/{environment_id}/nodes" | jq

UI Mechanics (Recommended Approach)

  • Click the Add dropdown in the top right portion of the screen and select New Node
  • Click the Integrations option at the bottom of the node creation panel to open the configuration screen.
  • Select a membership to bind the node to. You can only provision nodes against memberships under your Kaleido Organization’s control.
  • Provide a name for the node and then proceed to configure some combination of KMS, Log Streaming, VPC and Backup.

KMS

  • Click the hyperlink below the Key Store Management section to create a new KMS configuration.
  • Enter a name for the KMS configuration object and input the region where the master encryption key is stored. For example, us-east-1.
  • In the API Key field, enter the Access key ID for the user with access to the master encryption key.
  • In the API Secret field, enter the Secret access key for the user with access to the master encryption key.
  • In the Master Key field, enter the alias for your master key. If you gave your key an alias of kaleido on AWS, you can leave the supplied default value. If you chose a name other than kaleido, you need to enter the appropriate string. Note that alias/ must proceed the name. So if your master key alias was mysecretkey, you would enter alias/mysecretkey into this field. Click Continue to complete the configuration.

Log Streaming

  • Click the hyperlink below the Log Streaming Connection section to create a new Log Streaming configuration
  • Enter a name for the Ops Metrics configuration object and input the region where the Logging group is located. For example, us-east-2
  • In the API Key field, enter the Access key ID for the user or role with the Cloudwatch Logs permissions
  • In the API Secret field, enter the Secret access key for the user or role with the Cloudwatch Logs permissions
  • In the Group Name field, enter the name of the Cloudwatch Logging Group. For example, kaleidologs. Click Continue to complete the configuration.

VPC

  • In the Network Control section, select the desired configuration.
  • Selecting Public Only will generate the node without a private ingress and all calls to the network will flow over the public internet.
  • Selecting Private Only will generate the node without a public ingress and all calls will be routed through your VPC PrivateLink endpoint.
  • Selecting Public & Private generates both a public and private ingress, allowing you to partition your communication streams accordingly.

    NOTE: Currently you CANNOT add a private ingress after the node has been created. If you foresee the possibility of needing a private communication layer, you are recommended to choose a Public & Private configuration.

Backup

  • Click the hyperlink below the Backup Store section to create a new backup configuration
  • Enter a name for your backup configuration object and input the region where the S3 bucket is located. For example, us-east-2.
  • In the API Key field, enter the Access key ID for the user or role with the S3 write permissions.
  • In the API Secret field, enter the Secret access key for the user or role with the S3 write permissions.
  • In S3 Bucket Name field, enter the name of the S3 Bucket you want to target for backup calls. For example, my_kaleido_bucket. Click Continue to complete the configuration.

Successfully generated configurations will appear in the middle portion of the environment screen. Note that you CANNOT delete configurations once they are in active use by a node. In order to remove a configuration in active use, you will first need to delete the node or nodes that it has been applied to.

Prev Create an Enterprise Organization with Amazon Cognito Next Personally Identifiable Information