Installation configurations

Cloud Console admins can review installation-level configurations from the Configurations tab of the Installations page. The Configurations tab includes the following sections:

• Secrets: Add and manage secrets that can be referenced in user-defined functions (UDFs).

• Managed S3 integration: Create an Amazon S3 bucket integration and generate resource policies to complete the connection.

• Inbound network rules: Manage the IP address access control list (ACL) for incoming traffic.

• Outbound network rules: View the Instabase-defined static outbound IP addresses for outgoing traffic.

Secrets

The Cloud Console secrets configuration feature lets you add secrets at the Cloud Console level that can then be referenced in the platform using UDFs. Secrets added in Cloud Console are encrypted and stored in AWS Secrets Manager.

Add secrets

To add a secret:

1. On the Cloud Console Installations page, select the Configurations tab.

2. In the Secrets section, click + New Secret.

3. In Name, enter the name of the secret. Secret names are case-sensitive and can’t contain spaces of forward slashes (/). You reference this name in UDFs.

4. In Content paste the value of the secret.

   Info

   This is the only time when the secret’s value is visible. After being added, the value is encrypted and stored in AWS Secrets Manager and remains hidden in the Cloud Console UI.

5. In Note, add any comments about the secret. The note is visible to anyone with access to the Cloud Console Configurations tab.

6. From Deployment, select the deployment in which the secret can be referenced.

   Note

   You can create secrets with the same name that are available to different deployments. This makes it possible to develop in one deployment and promote to the next, without needing to alter any UDFs referencing the secret’s name after promotion.

7. Click Submit.

The secret is added to the secrets list. It can take up to 10 minutes for the secret to sync and be referenceable in the platform.

Reference a secret

After adding a secret in the ICC secrets manager, you can reference that secret in your UDFs. To reference a secret, include the following in your UDF:

• Import the get_secret util:

from instabase.secret_utils.secrets import get_secret

• Reference the secret by name:

val, err = get_secret("<SECRET_NAME>")

For example, to reference a secret called uat_deployment:

from typing import Any
from instabase.provenance.registration import register_fn
from instabase.secret_utils.secrets import get_secret

@register_fn(provenance=False)
def test_fn(*args: Any, **kwargs: Any) -> None:
   val, err = get_secret("uat_deployment")
   return val

Edit secrets

You can edit a secret’s content or note.

To edit a secret:

1. On the Cloud Console Installations page, select the Configurations tab.

2. In the Secrets section, locate the secret to edit.

3. Click the three-dot icon in the secret’s row of the secrets list.

4. Click Edit.

5. Make changes as needed.

6. Click Submit.

Changes can take up to 10 minutes to sync to the platform.

Delete secrets

To delete a secret:

1. On the Cloud Console Installations page, select the Configurations tab.

2. In the Secrets section, locate the secret to delete.

3. Click the three-dot icon in the secret’s row of the secrets list.

4. Click Delete.

5. Click Confirm.

Managed S3 integration

If you connect an Amazon S3 bucket as external storage for your deployment, a cross-bucket resource policy is required for Instabase to have access authorization for the resource. You can create your own S3 integration and generate the required IAM resource policy from Cloud Console. If using a KMS-encrypted bucket, you can also generate a KMS resource policy. Adding an S3 integration lets you access your AWS-managed, restricted S3 bucket from the Instabase platform, without the need for passwords.

Add S3 integrations

To add an S3 integration:

1. On the Cloud Console Installations page, select the Configurations tab.

2. In the Managed S3 integration section, click + S3 Bucket Integration.

3. In Bucket Name, enter the name of the S3 bucket to connect to.

4. From Deployment, select the deployments to which the integration applies.

5. In S3 Bucket ARN, enter the Amazon Resource Name (ARN) for the bucket.

6. If using a KMS-encrypted bucket, turn on the KMS Encryption toggle.

   1. In KMS Key ARN, enter the ARN for the KMS key.

7. (Optional) Add any notes about the integration.

8. Click Submit. The integration is added and set as Enabled.

After the S3 integration is created, Cloud Console generates an IAM resource policy (and KMS resource policy, if specified). You must attach the resource policies to your S3 bucket to grant the Instabase AWS account access to the resource.

To attach the IAM resource policy:

1. Locate the integration in the integrations list.

   Tip

   Integration names are a combination of the S3 bucket name and the name of the deployments the integration applies to.

2. Under IAM Resource Policy, click View.

3. Click the Copy icon to copy the displayed policy.

4. Follow the AWS adding a bucket policy documentation to edit the bucket policy.

To attach the KMS resource policy:

1. Locate the integration in the integrations list.

2. Under KMS Resource Policy, click View.

3. Click the Copy icon to copy the displayed policy.

4. Follow the AWS Key Management Service cross account access documentation to edit the key policy.

Disable and delete S3 integrations

When you create an integration, it’s enabled by default. You can disable an integration to rescind the Instabase AWS account’s access to a resource without deleting the integration.

To disable an integration:

1. On the Cloud Console Installations page, select the Configurations tab.

2. In the Managed S3 integration section, locate the integration to disable.

3. Click the three-dot icon in the integration’s row of the integrations list.

4. Click Edit.

5. Turn off the Enable toggle.

6. Click Submit.

To delete an integration:

1. On the Cloud Console Installations page, select the Configurations tab.

2. In the Managed S3 integration section, locate the integration to delete.

3. Click the three-dot icon in the integration’s row of the integrations list.

4. Click Delete.

5. Click Confirm.

Inbound network rules

Inbound network rules are used to define an IP address ACL, to allow traffic from other systems to reach your Instabase deployments. All inbound network rules in your installation, whether enabled or disabled, are listed in the inbound network rules table.

If no inbound network rules are listed, all inbound traffic is allowed. Otherwise, if any inbound network rules are listed, the IP address ACL is enforced.

The inbound network rules table includes the following information:

• Name: The name of the rule.

• Deployment: The deployments to which the rule applies.

• IP Address: The allowed IP address or IP address range.

• Updated: When the rule was last updated.

• Enabled: Indicates if the rule is enabled (green checkmark).

Add inbound network rules

To add an inbound network rule:

1. On the Cloud Console Installations page, select the Configurations tab.

2. In the Inbound Network Rules section, click + New Rule.

3. In the Name field, enter a name for the rule.

4. In the Deployments field, select the deployments to which the rule applies. You can apply a rule to one, several, or all deployments.

5. (Optional) To add a rule but leave it inactive, turn off the Enabled toggle.

6. From the IP Address Type field, select an IP address type.

7. In the IP Address field, enter an IP address, following the format of the selected IP address type.

8. (Optional) In the Notes field, add any notes about the rule.

9. Click Submit.

Edit inbound network rules

To edit an inbound network rule:

1. On the Cloud Console Installations page, select the Configurations tab.

2. In the Inbound Network Rules section, locate the rule to edit in the inbound network rules table.

3. Click the three-dot icon, then select Edit.

4. Edit the rule’s settings or notes as needed.

5. Click Submit.

Disable and delete inbound network rules

To disable an inbound network rule

1. On the Cloud Console Installations page, select the Configurations tab.

2. In the Inbound Network Rules section, locate the rule to disable in the inbound network rules table.

3. Click the three-dot icon, then select Edit.

4. Turn off the Enabled toggle.

5. Click Submit. The rule’s status icon changes from green to gray.

To delete an inbound network rule:

1. On the Cloud Console Installations page, select the Configurations tab.

2. In the Inbound Network Rules section, locate the rule to delete in the inbound network rules table.

3. Click the three-dot icon, then select Delete.

4. In the confirmation dialog, click Confirm.

Outbound network rules

The Outbound network rules section lists all Instabase-defined static outbound IP addresses. Outbound network rules can’t be modified and are provided for reference, such as when defining access control lists for resources and integrations that receive incoming traffic from Instabase.