Enterprise Kubernetes, delivered

Tectonic ships with CoreOS's signature automated operations, runs multi-cloud, and is the fastest, most secure path to Kubernetes.

AWS: Installation Requirements

What You Need

  • Access Key and Secret or alternatively a temporary Access Key, Secret, and Session Token
  • Region and Availability Zone to use
  • Tectonic License and Pull Secret
  • SSH Key pair in that region
  • KMS Key in that region or access rights for Tectonic to generate one
  • A Public Route53 Hosted Zone identifier. Public Route53 DNS resolution is a requirement for controller-worker TLS communication. Choose a domain or subdomain and configure it for name service at Route53. Tectonic will create 2 subdomains in this Hosted Zone during provisioning.
  • A current version of the Google Chrome or Mozilla Firefox web browser to run Tectonic Installer.


The AWS credentials you provide require access to the following AWS services:

  • CloudFormation
  • ELB
  • EC2
  • KMS
  • Route53
  • S3
  • Security Groups
  • VPC

An importable AWS policy containing the minimum privileges needed to run the Tectonic installer can be found here.

Temporary Credentials

The following steps demonstrate how to generate and use temporary AWS credentials in conjunction with the Tectonic Installer:

  1. Ensure the AWS CLI tool is installed by following the instructions on the AWS CLI documentation. On Fedora, this can be done with dnf install:

     $ sudo dnf install awscli
  2. Ensure the AWS CLI is configured to use your access key ID and secret access key:

     $ aws configure
  3. Create a tectonic-installer role in AWS with the trust policy detailed here. The trust relationship policy grants an entity permission to assume the role.

     $ aws iam create-role --role-name tectonic-installer --assume-role-policy-document file://Documentation/files/aws-sts-trust-policy.json
  4. Add an inline AWS policy document to the tectonic-installer role containing the minimum privileges needed to run the Tectonic installer. The policy is available here.

     $ aws iam put-role-policy --role-name tectonic-installer --policy-name TectonicInstallerPolicy --policy-document file://Documentation/files/aws-policy.json
  5. Add your user's ARN, found on the IAM user detail page, to the trusted entities for the tectonic-installer role. To do so, click on the Trust Relationships tab and then on the Edit Trust Relationship button to bring up the trusted entities JSON editor. You'll then need to add a new section for your user's ARN.

    The example Trust Relationship below has been edited to add a user's (named tectonic) ARN:

       "Version": "2012-10-17",
       "Statement": [
           "Effect": "Allow",
           "Principal": {
             "Service": "ec2.amazonaws.com",
             "AWS": "arn:aws:iam::477645798577:user/tectonic"
           "Action": "sts:AssumeRole"
  6. Assume the tectonic-installer role with your AWS user using the AWS CLI tool as follows:

     $ aws sts assume-role --role-arn=<TECTONIC_INSTALLER_ROLE_ARN> --role-session-name=tectonic-installer --role-session-name=<DESIRED_USER_NAME>

    The returned response will look like:

         "Credentials": {
             "SecretAccessKey": "<SECRET_ACCESS_KEY>",
             "AccessKeyId": "<ACCESS_KEY_ID>",
             "Expiration": "2016-12-14T02:21:37Z",
             "SessionToken": "<SESSION_TOKEN>"

    Use the SECRET_ACCESS_KEY, ACCESS_KEY_ID, and SESSION_TOKEN to authenticate in the installer.


The final step of the Tectonic install requires an SSH key, and access to *nix utilities like ssh and scp. Setting up a new key on AWS should take less than 5 minutes.

  1. Sign in using your IAM user or temporary credentials. You can find the login URL by visiting the IAM page in the EC2 console.

  2. Once signed in, navigate to the EC2 area and select the Region you want to install Tectonic on. You can change regions in using the drop down, in the top right of the nav.

  3. On the left navigation under Network & Security, select Key Pairs.

  4. Here you'll be able to create and download a key. Use the "Create Key Pair" button to do so. Be sure to pick a descriptive name, like iam-account-key-for-_region-name_.

  5. Once downloaded, place the private SSH key in your ~/.ssh/ or equivalent directory. You'll need to also make the key accessible (eg chmod 400 your-key-pair.pem).

If you'd prefer to generate and import your own key, this GitHub doc offers good instructions for most major platforms.

For additional information about AWS and SSH keys consult the official AWS guide.


In order to access the cluster two ELB backed services are exposed. Both are accessible over the standard TLS port (443).

Install Tectonic

With temporary credentials and an SSH key, you'll be ready to install Tectonic. Head over to the install doc to get started.

Using an existing VPC

During a normal Tectonic install, a new AWS Virtual Private Cloud (VPC) is created and configured. Advanced users can choose to use an existing VPC instead. This VPC must have an internet gateway. Tectonic installer will not create an internet gateway for an existing VPC.

The selected VPC must have the CIDR The installer will not create this IP block. The installer will create new network routes, subnets, and a NAT gateway in an existing VPC, after checking that their configurations don't conflict with existing ranges within