Skip to content

2.1 Set Up Access

Configure the accounts, credentials, and access controls needed before provisioning infrastructure. Select your deployment model below.

AWS Account Requirements

You need an AWS account with permissions to create the following resource types:

  • EC2: instances, security groups, EBS volumes, AMIs, snapshots, Elastic IPs
  • VPC: VPCs, subnets, internet gateways, NAT gateways, route tables
  • ELB: Network Load Balancers, target groups, listeners
  • IAM: roles, instance profiles, policies
  • S3: buckets (for Talos AMI pipeline)

IAM Configuration

The Terraform project creates an IAM role and instance profile for the Talos EC2 nodes. This is defined in the IAM module at terraform/modules/aws/iam/:

  • Role name: Configurable via role_name variable (default: talos-node-role)
  • Trust policy: Allows ec2.amazonaws.com to assume the role
  • Instance profile: <role_name>-profile, attached to all EC2 instances
  • SSM policy (optional): When enable_ssm = true, the AmazonSSMManagedInstanceCore managed policy is attached
  • CCM policy (optional): When enable_ccm = true, attaches the AWS Cloud Controller Manager policy
  • LB Controller policy (optional): When enable_lb_controller = true, attaches the AWS Load Balancer Controller policy

Note

Talos Linux is managed via talosctl over the Talos API (port 50000), not SSH. SSM is generally not needed and is disabled by default.

Admin Access Control

External access to the Kubernetes API (port 6443) and Talos API (port 50000) is controlled by allowed_admin_cidrs in variables.tf:

  • [] (default) — only VPC-internal access is permitted
  • Specific CIDRs (e.g. ["196.45.28.20/32"]) — restricts external access to specific IPs or ranges

When set, additional security group ingress rules are created on the control plane security group to allow traffic from the specified CIDRs to ports 6443 and 50000.

# In aws.tfvars
# Replace with your public IP: curl -s ifconfig.me
allowed_admin_cidrs = [
  "196.45.28.20/32",
]

AWS CLI Profile

Configure the AWS CLI profile that Terraform will use for authentication:

aws configure --profile <your-profile>

Then set it in your .tfvars file:

# In aws.tfvars
aws_profile = "<your-profile>"

When aws_profile is null, the AWS provider falls back to environment variables (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY) or the instance role.

Bootstrap IAM (AMI Pipeline)

A separate bootstrap process creates an additional IAM role specifically for the Talos AMI build pipeline:

  • Role name: vmimport
  • Trust policy: Allows vmie.amazonaws.com (EC2 VM Import/Export service) to assume the role
  • Permissions:
    • S3: GetBucketLocation, GetObject, ListBucket on the Talos image bucket
    • EC2: ModifySnapshotAttribute, CopySnapshot, RegisterImage, Describe*

This role is required by aws ec2 import-snapshot to convert uploaded disk images into EBS snapshots.

Access Requirements

Access Type Purpose When Needed
IPMI/BMC Power control, BIOS configuration, serial console Server setup and troubleshooting
Network switch VLAN configuration, port settings Initial network setup
Talos API (port 50000) Node management after Talos is installed Ongoing operations
Physical Racking, cabling, USB boot media Initial deployment

IPMI/BMC Credentials

Each server has an out-of-band management interface (IPMI, iDRAC, iLO, or similar) that allows remote power control, BIOS access, and serial-over-LAN console.

  1. Set BMC IP addresses — typically on a dedicated management VLAN (e.g., 192.168.10.0/24)
  2. Configure BMC credentials — change default passwords on all servers
  3. Verify access from your workstation:
# Test IPMI connectivity
ipmitool -I lanplus -H <bmc-ip> -U <username> -P <password> chassis status

# Power on a server
ipmitool -I lanplus -H <bmc-ip> -U <username> -P <password> chassis power on

SSH Keys

SSH is used for managing network switches and PXE servers before Talos is installed. After Talos is running, all node management is via talosctl — Talos does not run an SSH server.

# Generate an SSH key pair (if you don't have one)
ssh-keygen -t ed25519 -C "rciis-admin"

# Copy to your PXE server or network switches
ssh-copy-id admin@<switch-ip>

Network Switch Access

If you are managing VLANs on your switches, ensure you have console or SSH access to configure:

  • VLAN creation and port assignments
  • Trunk ports between switches
  • Access ports for server NICs

Admin Access Control

Role IPMI Access Switch Access talosctl Access
Infrastructure admin Yes Yes Yes
Kubernetes admin No No Yes
Application team No No No (kubectl only)

Note

Once Talos is installed, the only way to manage nodes is via talosctl over port 50000. There is no SSH, no shell, and no way to log into the OS directly. This is a security feature of Talos Linux.

Access Requirements

Access Type Purpose When Needed
Proxmox API Terraform provider authentication VM provisioning
Proxmox Web UI Template creation, monitoring Setup and debugging
SSH to Proxmox node Disk import, template operations Terraform provider requirement
Talos API (port 50000) Node management after deployment Ongoing operations

Proxmox API Token

The Terraform project authenticates to Proxmox using an API token in the format USER@REALM!TOKENID=SECRET.

Create a token via the Proxmox web UI or CLI:

# On the Proxmox node
pveum user token add root@pam IaC --privsep 0

The --privsep 0 flag gives the token the same permissions as the user. The output will include the token secret — save it securely.

Warning

Do not store the API token directly in .tfvars files that are committed to Git. Use an environment variable instead: 

export TF_VAR_proxmox_api_token="root@pam!IaC=<your-secret>"

SSH Access to Proxmox Node

The bpg/proxmox Terraform provider requires SSH access to the Proxmox node for disk import and template operations. The provider configuration in main.tf uses SSH agent forwarding:

provider "proxmox" {
  endpoint  = var.proxmox_endpoint
  api_token = var.proxmox_api_token
  insecure  = var.proxmox_insecure

  ssh {
    agent    = true
    username = var.proxmox_ssh_username  # default: "root"
  }
}

Ensure your SSH agent is running and has a key that can access the Proxmox node:

eval "$(ssh-agent -s)"
ssh-add ~/.ssh/id_rsa

# Verify access
ssh root@<proxmox-host>

Proxmox Web UI

Access the Proxmox management interface at https://<proxmox-host>:8006. This is used for:

  • Creating and managing VM templates
  • Monitoring VM status and resource usage
  • Configuring storage pools, networking, and firewall rules

Storage Pool Permissions

The Terraform project uses the local-lvm storage pool by default (configurable via storage_pool variable). Ensure the API token has permissions to:

  • Create and delete VM disks on the storage pool
  • Import disk images (for template creation)
  • Clone VMs from templates

Admin Access Control

Role Proxmox API Proxmox SSH talosctl Access
Infrastructure admin Yes (API token) Yes Yes
Kubernetes admin No No Yes
Application team No No No (kubectl only)