BYOC Cell Breakglass Access

"Breakglass" access grants SingleStore access to the BYOC cell using a secure and transparent Breakglass EC2 instance provisioned within the EKS cluster.

Why Provide Breakglass Access

While Bootstrapping the Amazon EKS VPC, access to the Kubernetes API Server endpoint is configured as Private to minimize the exposure to the API and reduce the risk of unauthorized access that may compromise the cluster's state, compute resources, service availability, or sensitive data.

These restrictions also limit SingleStore's ability to interact directly with the BYOC cell. Therefore, to perform repair or maintenance tasks on the BYOC cell, SingleStore requires Breakglass access to the BYOC cell.

Follow the steps in Provide Breakglass Access to SingleStore and Revoke Breakglass Access to ensure a secure, auditable, and efficient process for providing temporary Breakglass access to critical resources.

What is a Breakglass Instance

During the Bootstrapping process, an EC2 instance (namely the Breakglass instance) is provisioned within the EKS cluster to facilitate the execution of Kubernetes commands while maintaining high security standards. Access to the Breakglass instance is strictly controlled via the AWS Session Manager, without requiring SSH keys or public endpoints.

SingleStore creates an IAM role named ssm-access-from-other-accounts (or ssm-access-from-other-accounts-<eks_cluster_name>) to govern access to the Breakglass instance and adds the required policies to enable access to the instance. SingleStore assumes this role to access the Breakglass instance.

SingleStore implements the following safeguards to uphold the security standards:

  • Session Logging: Enable logging for all the sessions. Once AWS Session Manager CloudWatch logging is enabled on your VPC, all the sessions have logging enabled.

  • IAM Role Protection: Use a specific IAM role named ssm-access-from-other-accounts (or ssm-access-from-other-accounts-<eks_cluster_name>).

Provide Breakglass Access to SingleStore

After receiving a Breakglass access request from SingleStore Support over Zendesk, perform the following tasks:

  1. Approve Breakglass access request. Ensure the following:

    • The ssm-access-from-other-accounts (or ssm-access-from-other-accounts-<eks_cluster_name>) IAM role is associated with the Breakglass instance.

    • SingleStore Support is able to assume this IAM role.

    • Add the following to the trust relationship policy. Update <SingleStore_Role_ARN> with the ARN provided by SingleStore Support in the Zendesk ticket.

      {
      "Effect": "Allow",
      "Principal": {
      "AWS": "<SingleStore_Role_ARN>"
       	},
      "Action": "sts:AssumeRole"
      }
  2. Enable CloudWatch auditing. To enable CloudWatch logging of the SSM session:

    1. On the Systems Manager Console, select Session Manager > Preferences.

    2. Select the region of your BYOC cell.

    3. Select Edit, and enable CloudWatch logging.

    4. Select the Log group named /aws/ssm/{BYOC_cell_name}/cluster.

    5. Use defaults for other configuration settings.

    6. Select Save. All the SSM session logs are now streamed to the selected log group.

  3. Send confirmation to SingleStore. Contact SingleStore Support, confirm that the permissions are granted, and provide the ID of the instance named Breakglass instance.

Revoke Breakglass Access

After SingleStore Support has performed the required maintenance or repair operations, a follow-up response is sent to indicate that Breakglass access is no longer required.

To revoke access to the Breakglass instance, remove the SingleStore IAM role from the trust entities - manually remove the SingleStore role from the trust entities of the ssm-access-from-other-accounts (or ssm-access-from-other-accounts-<eks_cluster_name>) role.

Last modified: May 27, 2025

Was this article helpful?

Verification instructions

Note: You must install cosign to verify the authenticity of the SingleStore file.

Use the following steps to verify the authenticity of singlestoredb-server, singlestoredb-toolbox, singlestoredb-studio, and singlestore-client SingleStore files that have been downloaded.

You may perform the following steps on any computer that can run cosign, such as the main deployment host of the cluster.

  1. (Optional) Run the following command to view the associated signature files.

    curl undefined
  2. Download the signature file from the SingleStore release server.

    • Option 1: Click the Download Signature button next to the SingleStore file.

    • Option 2: Copy and paste the following URL into the address bar of your browser and save the signature file.

    • Option 3: Run the following command to download the signature file.

      curl -O undefined
  3. After the signature file has been downloaded, run the following command to verify the authenticity of the SingleStore file.

    echo -n undefined |
    cosign verify-blob --certificate-oidc-issuer https://oidc.eks.us-east-1.amazonaws.com/id/CCDCDBA1379A5596AB5B2E46DCA385BC \
    --certificate-identity https://kubernetes.io/namespaces/freya-production/serviceaccounts/job-worker \
    --bundle undefined \
    --new-bundle-format -
    Verified OK