Organizations can integrate with cloud services as part of the ArcGIS Enterprise on Kubernetes architecture. Benefits include increased reliability and resilience, decreased operational costs and cluster resource requirements, and an ease of administration and management of the associated workloads compared to system managed options.
Starting at the 11.2 release, ArcGIS Enterprise on Kubernetes organizations can add cloud services when configuring a new organization and during backup store registration. The following cloud storage services can be used for the organization's object store or backup store location:
- Amazon Simple Storage Service (S3)
- Azure Blob
- Google Cloud Storage
An ArcGIS Enterprise on Kubernetes organization accesses different endpoints for various purposes. The cloud object store is used for purposes outlined in System architecture and replaces the system managed object store StatefulSet. The cloud service object is then used to connect to the external object store when required by workloads within the cluster. Similarly, the cloud backup store uses a cloud service object to create and restore backups to the organization.
The following sections explain how cloud providers and services are structured within the Admin API and how updating credentials is handled.
Cloud provider vs. cloud service
A cloud provider is the parent object that can contain several associated cloud services. The providers currently supported by ArcGIS Enterprise on Kubernetes are Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP). A single cloud provider can have multiple cloud services as child objects, as shown below:
If you set the object store to use a cloud provider when configuring an organization, the associated credential type and keys are appended to the provider-level resource. This allows for the use of a single credential for numerous cloud services, as shown below:
If a cloud service does not have specific credentials, it will default to use provider-level credentials, as shown below:
Updating credentials
When updating credentials at the cloud service level, only that service will be affected. When updating credentials at a cloud provider level, all services that depend on that credential will be updated accordingly. A notification will appear in ArcGIS Enterprise Manager to indicate that the global, provider-level credential is being updated. This will cause a refresh of dependent cloud services to use the updated credentials.
The credential authentication type can also be updated from access key or storage account key to IAM role or managed identity, respectively. This allows for flexibility in the method by which the application authenticates with the configured cloud services.