Skip to main content

astroctl_cloud_aws_selfHosted_connect

astroctl cloud aws selfHosted connect

Store your own AWS credentials in the platform vault

Synopsis

Store your own pre-existing AWS credentials in the platform's encrypted vault.

Use this when you bring your own IAM user credentials (BYOC) instead of using 'setup' which creates everything automatically.

This command:

  1. Validates credentials (STS GetCallerIdentity)
  2. Checks S3 state store bucket accessibility
  3. Validates IAM roles (service-linked roles)
  4. Stores long-lived IAM user keys in the encrypted vault
  5. Outputs a cluster YAML snippet with credentials.type: vault

Only long-lived IAM user keys are accepted. Temporary credentials (with session tokens) are rejected — use 'setup' to create a dedicated IAM user.

Credentials must be provided explicitly:

  1. --access-key / --secret-key flags (recommended)
  2. --profile flag (reads from ~/.aws/credentials)

Environment variables are NOT used — connect stores credentials in the vault, so you must deliberately provide the IAM user keys created by setup.

astroctl cloud aws selfHosted connect [flags]

Examples

  # Check vault status
  astroctl cloud aws selfHosted connect --cluster-name prod

  # Bring your own credentials via AWS profile
  astroctl cloud aws selfHosted connect --profile my-iam-user --region us-west-2 \
      --cluster-name prod

  # Bring your own credentials via explicit keys
  astroctl cloud aws selfHosted connect --region us-west-2 \
      --access-key AKIA... --secret-key ... --cluster-name prod

  # Rotate credentials
  astroctl cloud aws selfHosted disconnect --cluster-name prod
  astroctl cloud aws selfHosted connect --profile new-keys --region us-west-2 \
      --cluster-name prod

Options

      --access-key string     AWS access key ID
      --account-id string     AWS account ID (12 digits) — optional, auto-detected from credentials
      --cluster-name string   Cluster name for this connection (required)
  -h, --help                  help for connect
      --profile string        AWS profile name from ~/.aws/credentials
      --region string         AWS region (e.g., us-west-2)
      --secret-key string     AWS secret access key

Options inherited from parent commands

  -o, --output string   Output format (json|yaml) (default "yaml")

SEE ALSO