docker
/
docs
mirror of https://github.com/docker/docs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

updated standard mode steps for Azure and AWS linking (#4410) 

Signed-off-by: Victoria Bialas <victoria.bialas@docker.com>
This commit is contained in:
Victoria Bialas 2017-08-28 17:36:37 -07:00 committed by GitHub
parent 397c5eb7f3
commit 657cd941f5
5 changed files with 31 additions and 173 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
docker-cloud/cloud-swarm/link-aws-swarm.md
View File

@ -126,3 +126,7 @@ You are now ready to deploy a swarm!
**Ready to create swarms on AWS?** See [Create a new swarm on Amazon Web Services in Docker Cloud](create-cloud-swarm-aws.md).
You can get an overivew of topics on [swarms in Docker Cloud](index.md).
**Using Standard Mode to managing Docker nodes on AWS?** If you are
setting up nodes on AWS in [Standard Mode](/docker-cloud/standard/),
go back to [What's next in Standard Mode](/docker-cloud/infrastructure/link-aws.md##whats-next).

4
docker-cloud/cloud-swarm/link-azure-swarm.md
View File

@ -113,3 +113,7 @@ process. If you haven't done so yet, check out how to [Set up SSH
keys](ssh-key-setup.md).
You can get an overivew of topics on [swarms in Docker Cloud](index.md).
**Using Standard Mode to managing Docker nodes on Azure?** If you are
setting up nodes on Azure in [Standard Mode](/docker-cloud/standard/),
go back to [What's next in Standard Mode](/docker-cloud/infrastructure/link-azure.md##whats-next).

1
docker-cloud/infrastructure/index.md
View File

@ -2,7 +2,6 @@
description: Manage network in Docker Cloud
keywords: nodes, hosts, infrastructure, Cloud
title: Docker Cloud infrastructure overview (Standard Mode)
notoc: true
---
Docker Cloud uses an agent and system containers to deploy and manage nodes (hosts) on your behalf. All nodes accessible to your account are connected by an overlay or mesh network, regardless of host or cloud service provider.

145
docker-cloud/infrastructure/link-aws.md
View File

@ -7,142 +7,23 @@ redirect_from:
title: Link an Amazon Web Services account
---
> **Legacy instructions**:
>
> This topic has been superseded by [the AWS instructions that enable swarm mode](/docker-cloud/cloud-swarm/link-aws-swarm.md).
You can create a role with AWS IAM (Identity and Access Management) so that
Docker Cloud can provision and manage **node clusters** and **nodes** on your
behalf.
Docker Cloud can provision and manage swarms on your behalf.
[Previously](https://docs.docker.com/v1.11/docker-cloud/infrastructure/link-aws), we
recommended that you create a service user that Docker Cloud would use to access
your AWS account. If you used this method, you can [create a new
role](https://console.aws.amazon.com/iam/home#policies){: target="_blank"
class="_" }, attach the policy you created for this purpose (see
[https://console.aws.amazon.com/iam/home#policies](https://console.aws.amazon.com/iam/home#policies){:
target="_blank" class="_" }), unlink your AWS credentials, and relink them using
the new ARN method. You can then delete the `dockercloud-user` on AWS.
## How to create the link
## Create a dockercloud-policy
For instructions on how to link your Microsoft Azure account to Docker Cloud,
see [the AWS instructions that enable swarm
mode](/docker-cloud/cloud-swarm/link-aws-swarm.md).
Create an access control policy that will grant specific privileges to Docker Cloud so it can provision EC2 resources on your behalf. 
1. Go to the AWS IAM panel at [https://console.aws.amazon.com/iam/home#policies](https://console.aws.amazon.com/iam/home#policies){: target="_blank" class="_"} .
2. Click **Create Policy**.
3. On the next screen click **Create Your Own Policy**.
4. Name the policy `dockercloud-policy` and paste the following text in the space provided for **Policy Document**.
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ec2:*",
"iam:ListInstanceProfiles"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
```
To limit the user to a specific region, use the [policy below](link-aws.md#limit-dockercloud-policy-to-a-specific-ec2-region) instead.
`ec2:*` allows the user to perform any operation in EC2.
`iam:ListInstanceProfiles` allows the user to retrieve instance profiles to apply to your nodes.
> **Note**: You cannot use an instance profile that has more permissions than the IAM user you are using with Docker Cloud. If you do that, you will get an "unauthorized operation" error. You can fix this issue by adding the `"Action":"iam:PassRole"` permission to the policy for the service user. You can read more about this [here](http://blogs.aws.amazon.com/security/post/Tx3M0IFB5XBOCQX/Granting-Permission-to-Launch-EC2-Instances-with-IAM-Roles-PassRole-Permission){: target="_blank" class="_"}.
6. Click **Validate Policy**.
7. If the validation succeeds, click **Create Policy**.
### Limit dockercloud-policy to a specific EC2 region
You can use the following `dockercloud-policy` to limit Docker Cloud to a specific EC2 region. Replace the example region `us-west-2` US West (Oregon) with the region you want.
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ec2:*"
],
"Effect": "Allow",
"Resource": "*",
"Condition": {
"StringEquals": {
"ec2:Region": "us-west-2"
}
}
},
{
"Action": [
"iam:ListInstanceProfiles"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
```
## Create a dockercloud-role role
1. Go to the AWS IAM Role creation panel at <a href="https://console.aws.amazon.com/iam/home#roles">https://console.aws.amazon.com/iam/home#roles</a> Click **Create new role**.
2. Select **Role for cross-account access**, and in the submenu that opens select **Provide access between your AWS account and a 3rd party AWS account**.
![](images/aws-iam-role-1.png)
3. In the **Account ID** field, enter the ID for the Docker Cloud service: `689684103426`.
4. In the **External ID** field, enter your Docker Cloud username.
This might be your Docker ID username, or if you are using Organizations in Docker Cloud enter the organization name.
5. Leave **Require MFA** unchecked. Click **Next Step**.
6. On the next screen, select the `dockercloud-policy` you created to attach to the role. Click **Next Step**.
7. Give the new role a name, such as `dockercloud-role`.
> **Note**: You must use one role per Docker Cloud account namespace, so if you will be using nodes from a single AWS account for multiple Docker Cloud accounts, you should add an identifying the namespace to the end of the name. For example, you might have `dockercloud-role-docker` and `dockercloud-role-teamawesome`.
8. Click **Create Role**.
AWS IAM creates the new role and returns you to the **Roles** list.
9. Click into the new role to view details, and copy the full **Role ARN** string.
The ARN string should look something like
`arn:aws:iam::123456789123:role/dockercloud-role`. You'll use the
ARN in the next step. If you forget to copy the ARN here, view the
Role in IAM to see its related information including the ARN.
![](images/aws-iam-role-2.png)
## Add AWS account credentials
Once you've created a `dockercloud-policy`, attached it to a `dockercloud-role`,
and have the role's Role ARN, go back to Docker Cloud to connect the account.
1. In Docker Cloud, click **Cloud settings** at the lower left.
2. In the Cloud Providers section, click the plug icon next to Amazon Web Services.
![](images/aws-link-account.png)
3. Enter the full `Role ARN` for the role you just created.
![](images/aws-modal.png)
4. Click **Save**.
> Note: The procedure for linking these accounts is the same, regardless
of whether you are using Docker Cloud in
[Swarm Mode](/docker-cloud/index.md) or not. If you are
using standard mode, come back to these topics after you have linked
your AWS account.
## What's next?
You're ready to start using AWS as the infrastructure provider
for Docker Cloud! If you came here from the tutorial, [continue the tutorial and deploy your first node](../getting-started/your_first_node.md).
You're ready to start using AWS as the infrastructure provider for Docker Cloud!
If you came here from the tutorial, [continue the tutorial and deploy your first
node](/docker-cloud/getting-started/your_first_node.md).

50
docker-cloud/infrastructure/link-azure.md
View File

@ -5,13 +5,8 @@ redirect_from:
- /docker-cloud/getting-started/beginner/link-azure/
- /docker-cloud/getting-started/link-azure/
title: Link a Microsoft Azure account
notoc: true
---
> **Legacy instructions**:
>
> This topic has been superseded by [the Azure instructions that enable swarm mode](/docker-cloud/cloud-swarm/link-azure-swarm.md).
You can link your Microsoft Azure account to your Docker Cloud account to deploy
**nodes** and **node clusters** using Docker Cloud's Dashboard, API, or CLI. You
must link your Azure account so that Docker Cloud can interact with Azure on
@ -19,44 +14,19 @@ your behalf to create and manage your **nodes** (virtual machines).
## How to create the link
Navigate to **Account info \> Cloud Providers**. You'll see a list of all the
providers that you can link to Docker Cloud. Click **Add credentials** next to
Microsoft Azure:
For instructions on how to link your Microsoft Azure account to Docker Cloud,
see [the Azure instructions that enable swarm
mode](/docker-cloud/cloud-swarm/link-azure-swarm.md).
![](images/azure-link-account.png)
You'll see the following screen:
![](images/azure-link-modal.png)
First, click **Download management certificate** to download the public
certificate generated for your Docker Cloud account.
Then, in another tab go to the Azure Portal at
[https://manage.windowsazure.com/](https://manage.windowsazure.com/).
> **Note**: At this time, you must use the old Azure portal to upload management certificates.
Scroll to the bottom of the left navigation bar and click **Settings**. In the
page that loads, click the **Management certificates** tab, then click
**Upload** near the bottom of the screen:
![](images/azure-portal-subscriptions.png)
Still in Azure, in the **Upload a management certificate** dialog, select the
certificate you downloaded from Docker Cloud in the **File** field, and choose
the subscription you want to use with Docker Cloud:
![](images/azure-upload-certificate.png)
Once uploaded, copy the **subscription ID** (which looks like
`aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee`).
Go back to Docker Cloud and enter the subscription ID in the **Azure
credentials** dialog, and click **Save credentials**.
> Note: The procedure for linking these accounts is the same, regardless
of whether you are using Docker Cloud in
[Swarm Mode](/docker-cloud/index.md) or not. If you are
using standard mode, come back to these topics after you have linked
your Microsoft Azure account.
## What's next?
You're ready to start using Microsoft Azure as the infrastructure provider for
Docker Cloud! If you came here from the tutorial, click here to [continue the
tutorial and deploy your first node](../getting-started/your_first_node.md).
tutorial and deploy your first
node](/docker-cloud/getting-started/your_first_node.md).