Connecting your cloud

Before connecting to your cloud,

  • You must set permissions to allow BigAnimal to perform maintenance operations in your cloud.

    • If connecting to AWS: Create a role EDBOperations and set its policy/trust and policy/policy boundaries to * with EDB's AWS account. This allows EDB's IAM users to assume the EDBOperations role in your AWS account.

    • If connecting to Azure: Register an application with Azure AD and create a service principal to delegate Identity and Access Management functions to Azure Active Directory (AD).

      BigAnimal CLI commands used in the procedures for connecting your cloud to BigAnimal automatically sets these permissions for you. For more information, see EDB cloud utilites in GitHub for Azure and AWS.

  • If connecting to an AWS account, ensure that you are assigned the following AWS managed policies (or an equivalent custom policy granting full access to resources):

    • arn:aws:iam::aws:policy/IAMFullAccess

    • arn:aws:iam::aws:policy/ServiceQuotasFullAccess

  • If connecting to an Azure subscription, ensure that in Azure Cloud Shell or AWS Cloud Shell, your environment is running:

    • bash shell version 4.0 or above.

    • jq JSON parser.

    • BigAnimal CLI version 1.4 or later. For detailed steps, see Installing the CLI.

  • Be aware that BigAnimal requires permissions to run Kubernetes cluster services for PostgreSQL workloads and the associated storage services. It requires a set of supporting permissions:

    • Services for monitoring and logging to produce service telemetry information.

    • To set up networking so PostgreSQL workloads are reachable by customer applications and telemetry data is collected.

    • To provision vaults for safe storage of data at rest encryption keys.

    • To create workload identities and manage their permissions.

    • And, a small set of supporting permissions to ensure access to the services above and availability of cloud account information.

    The scope of these permissions are limited to the associated cloud account.

  • Ensure that the BigAnimal login user running the CLI is assigned either the owner or the contributor role.

Perform the following steps:

  1. Open the Azure Cloud Shell or the AWS Cloud Shell in your browser.

  2. Create a BigAnimal CLI credential:

    ./biganimal create-credential --name <cred> --address --port 443
  3. Run the setup-csp command to set up your cloud provider:

    ./biganimal setup-csp 

    Do not delete the ba-passport.json file created in your working directory. It contains important identity and access management information used by connect-csp while connecting to your cloud.


    Your organization might require you to review the scripts that are invoked while setting up your cloud account. To generate the scripts invoked by setup-csp, execute the command without the --run option. You can now review and manually execute ba-csp-preflight and then ba-csp-setup from your working directory.

  4. The command checks for cloud account readiness and displays the results. See Configure your Azure subscription or Configure your AWS account to manually configure your cloud, if the following readiness checks are not met for your cloud service provider:

    • If connecting to Azure:
      • Are the necessary Azure resource providers registered for your subscription?
      • Is there a restriction on SKUs for the standard Esv3 family and standard D2_v4 VM size?
      • Is the limit on the number of vCPU and public IP addresses in your region sufficient for your clusters?
    • If connecting to AWS:
      • Is the AWS CLI configured to access your AWS account?
      • Is the limit on the number of vCPUs and Network Load Balancers (NLBs) in your region sufficient for your clusters?
  5. If the cloud readiness checks pass, your cloud account is successfully set up. Connect your cloud account to BigAnimal with following command.

    ./biganimal connect-csp --provider  <cloud-service-provider>

    Once your cloud account is successfully connected to BigAnimal, you, and other users with the correct permissions, can create clusters.