Grant Privileged Access to Helios BYOC Cell
On this page
Privileged access grants SingleStore access to the Helios BYOC cell using a secure and transparent EC2 instance (privileged access instance) provisioned within the EKS cluster.
Note
"Privileged access" is sometimes referred to as "Breakglass access".
Why Provide Privileged Access
While Bootstrapping the Amazon EKS VPC, access to the Kubernetes API Server endpoint is configured as Private
to minimize the exposure to the API and reduce the risk of unauthorized access that may compromise the cluster's state, compute resources, service availability, or sensitive data.
These restrictions also limit SingleStore's ability to interact directly with the BYOC cell.
Follow the steps in Provide Privileged Access to SingleStore and Revoke Privileged Access to ensure a secure, auditable, and efficient process for providing temporary privileged access to critical resources.
What is a Privileged Access Instance
During the Bootstrapping process, an EC2 instance ("the privileged access instance") is provisioned within the EKS cluster.
SingleStore creates an IAM role named ssm-access-from-other-accounts
(or
ssm-access-from-other-accounts-<eks_
) to govern access to the privileged access instance and adds the required policies to enable access to this instance.
SingleStore implements the following safeguards to uphold the security standards:
-
Session Logging: Enable logging for all the sessions.
Once AWS Session Manager CloudWatch logging is enabled on your VPC, all the sessions have logging enabled. -
IAM Role Protection: Use a specific IAM role named
ssm-access-from-other-accounts
(orssm-access-from-other-accounts-<eks_
).cluster_ name>
Provide Privileged Access to SingleStore
After receiving a privileged access request from SingleStore Support over Zendesk, perform the following tasks:
-
Approve privileged access request.
Ensure the following: -
The
ssm-access-from-other-accounts
(orssm-access-from-other-accounts-<eks_
) IAM role is associated with the privileged access instance.cluster_ name> -
SingleStore Support is able to assume this IAM role.
-
Add the following to the trust relationship policy.
Update <SingleStore_
with the ARN provided by SingleStore Support in the Zendesk ticket.Role_ ARN> {"Effect": "Allow","Principal": {"AWS": "<SingleStore_Role_ARN>"},"Action": "sts:AssumeRole"}
-
-
Enable CloudWatch auditing.
To enable CloudWatch logging of the SSM session: -
On the Systems Manager Console, select Session Manager > Preferences.
-
Select the region of your BYOC cell.
-
Select Edit, and enable CloudWatch logging.
-
Select the Log group named
/aws/ssm/{BYOC_
.cell_ name}/cluster -
Use defaults for other configuration settings.
-
Select Save.
All the SSM session logs are now streamed to the selected log group.
-
-
Send confirmation to SingleStore.
Contact SingleStore Support, confirm that the permissions are granted, and provide the ID of the instance named Privileged access instance (or Breakglass instance).
Revoke Privileged Access
After SingleStore Support has performed the required maintenance or repair operations, a follow-up response is sent to indicate that privileged access is no longer required.
To revoke access to the privileged access instance, remove the SingleStore IAM role from the trust entities - manually remove the SingleStore role from the trust entities of the ssm-access-from-other-accounts
(or
ssm-access-from-other-accounts-<eks_
) role.
Last modified: August 6, 2025