Grant Privileged Access to Helios BYOC Cell

Privileged access grants SingleStore access to the Helios BYOC cell using a secure and transparent EC2 instance (privileged access instance) provisioned within the EKS cluster.

Note

"Privileged access" is sometimes referred to as "Breakglass access". Similarly, a "privileged access instance" may be called a "Breakglass instance".

Why Provide Privileged Access

While Bootstrapping the Amazon EKS VPC, access to the Kubernetes API Server endpoint is configured as Private to minimize the exposure to the API and reduce the risk of unauthorized access that may compromise the cluster's state, compute resources, service availability, or sensitive data.

These restrictions also limit SingleStore's ability to interact directly with the BYOC cell. Therefore, to perform repair or maintenance tasks on the BYOC cell, SingleStore requires privileged access to the BYOC cell.

Follow the steps in Provide Privileged Access to SingleStore and Revoke Privileged Access to ensure a secure, auditable, and efficient process for providing temporary privileged access to critical resources.

What is a Privileged Access Instance

During the Bootstrapping process, an EC2 instance ("the privileged access instance") is provisioned within the EKS cluster. This instance enables privileged access for SingleStore and facilitates the execution of Kubernetes commands while maintaining high security standards. Access to this EC2 instance is strictly controlled via the AWS Session Manager, without requiring SSH keys or public endpoints.

SingleStore creates an IAM role named ssm-access-from-other-accounts (or ssm-access-from-other-accounts-<eks_cluster_name>) to govern access to the privileged access instance and adds the required policies to enable access to this instance. SingleStore assumes this role to access the privileged access instance.

SingleStore implements the following safeguards to uphold the security standards:

  • Session Logging: Enable logging for all the sessions. Once AWS Session Manager CloudWatch logging is enabled on your VPC, all the sessions have logging enabled.

  • IAM Role Protection: Use a specific IAM role named ssm-access-from-other-accounts (or ssm-access-from-other-accounts-<eks_cluster_name>).

Provide Privileged Access to SingleStore

After receiving a privileged access request from SingleStore Support over Zendesk, perform the following tasks:

  1. Approve privileged access request. Ensure the following:

    • The ssm-access-from-other-accounts (or ssm-access-from-other-accounts-<eks_cluster_name>) IAM role is associated with the privileged access instance.

    • SingleStore Support is able to assume this IAM role.

    • Add the following to the trust relationship policy. Update <SingleStore_Role_ARN> with the ARN provided by SingleStore Support in the Zendesk ticket.

      {
      "Effect": "Allow",
      "Principal": {
      "AWS": "<SingleStore_Role_ARN>"
      },
      "Action": "sts:AssumeRole"
      }
  2. Enable CloudWatch auditing. To enable CloudWatch logging of the SSM session:

    1. On the Systems Manager Console, select Session Manager > Preferences.

    2. Select the region of your BYOC cell.

    3. Select Edit, and enable CloudWatch logging.

    4. Select the Log group named /aws/ssm/{BYOC_cell_name}/cluster.

    5. Use defaults for other configuration settings.

    6. Select Save. All the SSM session logs are now streamed to the selected log group.

  3. Send confirmation to SingleStore. Contact SingleStore Support, confirm that the permissions are granted, and provide the ID of the instance named Privileged access instance (or Breakglass instance).

Revoke Privileged Access

After SingleStore Support has performed the required maintenance or repair operations, a follow-up response is sent to indicate that privileged access is no longer required.

To revoke access to the privileged access instance, remove the SingleStore IAM role from the trust entities - manually remove the SingleStore role from the trust entities of the ssm-access-from-other-accounts (or ssm-access-from-other-accounts-<eks_cluster_name>) role.

Last modified: August 6, 2025

Was this article helpful?

Verification instructions

Note: You must install cosign to verify the authenticity of the SingleStore file.

Use the following steps to verify the authenticity of singlestoredb-server, singlestoredb-toolbox, singlestoredb-studio, and singlestore-client SingleStore files that have been downloaded.

You may perform the following steps on any computer that can run cosign, such as the main deployment host of the cluster.

  1. (Optional) Run the following command to view the associated signature files.

    curl undefined
  2. Download the signature file from the SingleStore release server.

    • Option 1: Click the Download Signature button next to the SingleStore file.

    • Option 2: Copy and paste the following URL into the address bar of your browser and save the signature file.

    • Option 3: Run the following command to download the signature file.

      curl -O undefined
  3. After the signature file has been downloaded, run the following command to verify the authenticity of the SingleStore file.

    echo -n undefined |
    cosign verify-blob --certificate-oidc-issuer https://oidc.eks.us-east-1.amazonaws.com/id/CCDCDBA1379A5596AB5B2E46DCA385BC \
    --certificate-identity https://kubernetes.io/namespaces/freya-production/serviceaccounts/job-worker \
    --bundle undefined \
    --new-bundle-format -
    Verified OK