My Cloud Integrations

Guide on Integrating Your Cloud Provider

GCP

To integrate your GCP account with Tune Studio, follow these steps:

Make sure compute engine API is enabled

Before proceeding, visit the Compute Engine page on the GCP Console. If prompted, enable the Compute Engine API. If you’re not prompted, the API is already enabled.

Create a Service Account

Create a service account on GCP by following the guide on creating a service account, click on “Create and Continue”. You can also assign the basic editor role to this service account during creation.

Give Basic Editor Permissions

If you’ve already assigned basic editor permissions to the service account, skip this step. Otherwise, assign the basic editor permissions to this principal. Alternatively, you can create a role with granular permissions by following the Granular Permissions with Roles guide and assign the role to the service account.

Create a Key

Create a key for the service account by going to the service account page, selecting the principal, and clicking on the “Create key” button.

Connect to GCP

Go to the Integrations Tab on Studio, connect to GCP, and paste the contents of the key JSON file.

Granular Permissions with roles

This section is recommended if you want to create a granular role for the service account but not necessary for basic integration.

Copy the contents of the yaml file below and create a yaml file you can use to create a new role.

title: "Tune studio role"
description: "Permissions to use Tune studio My cloud feature"
stage: "ALPHA"
includedPermissions:
  - compute.disks.create
  - compute.disks.get
  - compute.disks.use
  - compute.firewalls.create
  - compute.firewalls.get
  - compute.globalOperations.get
  - compute.images.useReadOnly
  - compute.instances.create
  - compute.instances.delete
  - compute.instances.get
  - compute.instances.setMetadata
  - compute.instances.setServiceAccount
  - compute.instances.setTags
  - compute.instances.start
  - compute.instances.stop
  - compute.networks.create
  - compute.networks.get
  - compute.networks.updatePolicy
  - compute.subnetworks.use
  - compute.subnetworks.useExternalIp
  - compute.zoneOperations.get
  - compute.zones.get
  - iam.serviceAccountKeys.get
  - iam.serviceAccounts.actAs
  - resourcemanager.projects.get

After creating the yaml file create a new role using the following command and assign it to the service account.

gcloud iam roles create ROLE_ID --project=PROJECT_ID --file=YAML_FILE_PATH

Feel free to follow along the GCP guide to create a custom role if you don’t have gcloud available.

AWS

To integrate your AWS account with Tune Studio, follow these steps:

Create a Policy

Navigate to the IAM service in the AWS console, click on “Policies,” and then “Create policy.” In the policy editor, select JSON and use the policy provided below.

Click “Next” and give the policy a name (e.g., “tune-studio-policy”). Then, click “Create policy.”

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "ec2:AuthorizeSecurityGroupIngress",
                "ec2:DeleteSubnet",
                "ec2:ReplaceRouteTableAssociation",
                "ec2:AttachInternetGateway",
                "ec2:ReplaceRoute",
                "ec2:AssociateRouteTable",
                "ec2:DeleteRouteTable",
                "ec2:DescribeInternetGateways",
                "ec2:StartInstances",
                "ec2:RevokeSecurityGroupEgress",
                "ec2:CreateRoute",
                "ec2:CreateInternetGateway",
                "ec2:DeleteInternetGateway",
                "ec2:DescribeRouteTables",
                "ec2:ModifyAddressAttribute",
                "ec2:CreateTags",
                "ec2:CreateRouteTable",
                "ec2:RunInstances",
                "ec2:ModifySecurityGroupRules",
                "ssm:GetParameters",
                "ec2:DetachInternetGateway",
                "ec2:StopInstances",
                "ec2:DisassociateRouteTable",
                "ec2:RevokeSecurityGroupIngress",
                "ec2:DeleteNatGateway",
                "ec2:DeleteVpc",
                "ec2:AssociateAddress",
                "ec2:CreateSubnet",
                "ec2:DescribeSubnets",
                "ec2:DisassociateAddress",
                "ec2:DescribeAddresses",
                "ec2:DeleteTags",
                "ec2:CreateNatGateway",
                "ec2:CreateVpc",
                "ec2:DescribeAddressesAttribute",
                "ec2:DescribeVpcAttribute",
                "ec2:ModifySubnetAttribute",
                "ec2:DescribeNetworkInterfaces",
                "ec2:DescribeAvailabilityZones",
                "ec2:CreateSecurityGroup",
                "ec2:ModifyVpcAttribute",
                "ec2:ReleaseAddress",
                "ec2:AssociateNatGatewayAddress",
                "ec2:TerminateInstances",
                "ec2:ResetAddressAttribute",
                "ec2:DeleteRoute",
                "ec2:DescribeNatGateways",
                "ec2:AllocateAddress",
                "ec2:DescribeSecurityGroups",
                "ec2:DisassociateNatGatewayAddress",
                "ec2:DescribeVpcs",
                "ec2:DeleteSecurityGroup",
                "ec2:DescribeImages",
                "ec2:DescribeInstances",
                "ec2:DescribeInstanceTypes",
                "ec2:DescribeTags",
                "ec2:DescribeInstanceAttribute",
                "ec2:DescribeVolumes",
                "ec2:DescribeInstanceStatus",
                "ec2:ModifyInstanceAttribute",
                "ec2:AuthorizeSecurityGroupEgress"
            ],
            "Resource": "*"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": "iam:PassRole",
            "Resource": "*",
            "Condition": {
                "ForAnyValue:StringEquals": {
                    "iam:PassedToService": "ec2.amazonaws.com"
                }
            }
        }
    ]
}

Create a User

In the same IAM dashboard, click on “Users” and then “Create user.” Give the user a name and click “Next.”

Select “Attach policies directly” and attach the policy you created earlier. Click “Next” and then “Create user.”

Create Access Key

After creating the user, click on the user in the Users section and go to the “Security credentials” tab. Click on “Create access key” by scrolling down.

Select the “Other” option and click “Next.”

Add a description (optional) and click “Create access key.” You will see the Access Key and Secret Access Key; copy them to a safe location.

Connect to AWS

Go to the Integrations Tab on Studio, connect to AWS, and paste the Access Key and Secret Access Key. You will also have the option to select a region where you want to create an instance (this step creates VPCs in those regions, so you don’t have to wait when creating a resource).

Getting Started

Concepts

Miscellaneous

Guide on Integrating Your Cloud Provider

GCP

Granular Permissions with roles

AWS

Getting Started

Concepts

Miscellaneous

​Guide on Integrating Your Cloud Provider

​GCP

​Granular Permissions with roles

​AWS

Guide on Integrating Your Cloud Provider

GCP

Granular Permissions with roles

AWS