Skip to content

2.1 Set Up Access

Configure the accounts, credentials, and access controls needed before provisioning infrastructure.

AWS Account Requirements

You need an AWS account with permissions to create the following resource types:

  • EC2: instances, security groups, EBS volumes, AMIs, snapshots, Elastic IPs
  • VPC: VPCs, subnets, internet gateways, NAT gateways, route tables
  • ELB: Network Load Balancers, target groups, listeners
  • IAM: roles, instance profiles, policies
  • S3: buckets (for Talos AMI pipeline)

IAM Configuration

The Formae project creates an IAM role and instance profile for the Talos EC2 nodes. This is defined in modules/iam.pkl:

  • Role name: Configurable via vars.pklroleName (default: talos-node-role)
  • Trust policy: Allows ec2.amazonaws.com to assume the role
  • Instance profile: <roleName>-profile, attached to all EC2 instances
  • SSM policy (optional): When enableSsm = true, the AmazonSSMManagedInstanceCore managed policy is attached

Note

Talos Linux is managed via talosctl over the Talos API (port 50000), not SSH. SSM is generally not needed and is disabled by default.

Admin Access Control

External access to the Kubernetes API (port 6443) and Talos API (port 50000) is controlled by allowedAdminCidr in vars.pkl:

  • null (default) — only VPC-internal access is permitted
  • Specific CIDR (e.g. "196.45.28.20/32") — restricts external access to a specific IP or range

When set, additional security group ingress rules are created on the control plane security group to allow traffic from the specified CIDR to ports 6443 and 50000.

// In vars.pkl or envs/<environment>.pkl
// Replace with your public IP: curl -s ifconfig.me
allowedAdminCidr = "196.45.28.20/32"

AWS CLI Profile

Configure the AWS CLI profile that Formae will use for authentication:

aws configure --profile <your-profile>

Then set it in your environment config:

// In envs/<environment>.pkl
awsProfile = "<your-profile>"

When awsProfile is null, Formae falls back to environment variables (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY) or the instance role.

Bootstrap IAM (AMI Pipeline)

The bootstrap.pkl forma creates an additional IAM role specifically for the Talos AMI build pipeline:

  • Role name: vmimport
  • Trust policy: Allows vmie.amazonaws.com (EC2 VM Import/Export service) to assume the role
  • Permissions:
    • S3: GetBucketLocation, GetObject, ListBucket on the Talos image bucket
    • EC2: ModifySnapshotAttribute, CopySnapshot, RegisterImage, Describe*

This role is required by aws ec2 import-snapshot to convert uploaded disk images into EBS snapshots.