Skip to main content

Cloud Provider Integrations

Meshery extends Kubernetes management to cloud provider services, enabling you to design, deploy, and operate cloud infrastructure using the same workflows as your Kubernetes resources. Meshery integrates with AWS, GCP, and Azure through Kubernetes operators and Custom Resource Definitions (CRDs).

Overview

Cloud provider integrations allow you to:
  • Declarative Cloud Management: Define cloud resources as Kubernetes manifests
  • Unified Control Plane: Manage Kubernetes and cloud resources from Meshery
  • Visual Design: Drag-and-drop cloud services in Kanvas
  • GitOps-Ready: Version control cloud infrastructure alongside Kubernetes configs
  • Cross-Cloud Portability: Design patterns that work across providers

Supported Cloud Providers

Amazon Web Services

AWS EKS, RDS, S3, Lambda, and more through ACK

Google Cloud Platform

GKE, Cloud SQL, Cloud Storage, and GCP services

Microsoft Azure

AKS, Azure Storage, SQL Database through ASO

AWS Integration

Meshery integrates with AWS through the AWS Controllers for Kubernetes (ACK) project, which provides Kubernetes CRDs for AWS services.

Supported AWS Services

  • Amazon EKS: Managed Kubernetes clusters
  • AWS Lambda: Serverless functions
  • Amazon ECS: Container orchestration
  • AWS Fargate: Serverless container compute

Installation

Prerequisites

  • AWS account with appropriate permissions
  • Kubernetes cluster (EKS recommended)
  • AWS CLI configured
  • IAM roles for service accounts (IRSA) configured

Setup AWS Controllers

1

Install ACK Controller

Install the ACK controller for your desired service (e.g., RDS):
# Install RDS controller
export AWS_REGION=us-west-2
export ACK_K8S_NAMESPACE=ack-system

helm repo add ack https://aws-controllers-k8s.github.io/charts
helm install ack-rds-controller ack/rds-chart \
  --namespace $ACK_K8S_NAMESPACE \
  --create-namespace \
  --set aws.region=$AWS_REGION
2

Configure IAM Permissions

Create an IAM role with permissions for the ACK controller:
# Create IAM policy
aws iam create-policy \
  --policy-name ACKRDSControllerPolicy \
  --policy-document file://ack-rds-policy.json

# Associate with service account
eksctl create iamserviceaccount \
  --name ack-rds-controller \
  --namespace ack-system \
  --cluster my-cluster \
  --attach-policy-arn arn:aws:iam::ACCOUNT_ID:policy/ACKRDSControllerPolicy \
  --approve
3

Connect Meshery

Meshery automatically discovers ACK CRDs when you connect your EKS cluster. Navigate to Connections in Meshery UI and verify AWS components are available.

Example: Deploy RDS Database

Use Meshery to deploy an Amazon RDS PostgreSQL database:
  1. Open Kanvas designer
  2. Search for “RDS” in components
  3. Drag DBInstance onto canvas
  4. Configure properties:
    • Engine: postgres
    • Instance class: db.t3.micro
    • Allocated storage: 20GB
    • Master username: admin
  5. Add DBSubnetGroup for VPC configuration
  6. Connect to Kubernetes Secret for credentials
  7. Click Deploy to create the RDS instance

Relationships: AWS and Kubernetes

Meshery understands relationships between AWS and Kubernetes resources:
  • DBInstance → Secret: RDS credentials stored in Kubernetes Secret
  • DBInstance → DBSubnetGroup: RDS instance placement in VPC subnets
  • LoadBalancer → Service: AWS ALB/NLB created for Kubernetes Service
  • IAM Role → ServiceAccount: IRSA binding for pod-level AWS permissions

Supported ACK Controllers

Meshery supports all ACK controllers, including:
  • rds-controller: Amazon RDS
  • s3-controller: Amazon S3
  • eks-controller: Amazon EKS
  • dynamodb-controller: Amazon DynamoDB
  • elasticache-controller: Amazon ElastiCache
  • lambda-controller: AWS Lambda
  • sns-controller: Amazon SNS
  • sqs-controller: Amazon SQS

GCP Integration

Meshery integrates with Google Cloud Platform through Config Connector, which allows you to manage GCP resources as Kubernetes objects.

Supported GCP Services

  • Google Kubernetes Engine (GKE): Managed Kubernetes
  • Compute Engine: Virtual machines
  • Cloud Functions: Serverless functions
  • Cloud Run: Serverless containers

Installation

Prerequisites

  • GCP project with billing enabled
  • GKE cluster
  • gcloud CLI configured
  • Service account with appropriate permissions

Setup Config Connector

1

Enable Config Connector on GKE

gcloud container clusters update CLUSTER_NAME \
  --update-addons ConfigConnector=ENABLED \
  --region REGION
2

Create Service Account

gcloud iam service-accounts create config-connector \
  --display-name="Config Connector Service Account"

gcloud projects add-iam-policy-binding PROJECT_ID \
  --member="serviceAccount:config-connector@PROJECT_ID.iam.gserviceaccount.com" \
  --role="roles/owner"
3

Configure Workload Identity

gcloud iam service-accounts add-iam-policy-binding \
  config-connector@PROJECT_ID.iam.gserviceaccount.com \
  --member="serviceAccount:PROJECT_ID.svc.id.goog[cnrm-system/cnrm-controller-manager]" \
  --role="roles/iam.workloadIdentityUser"
4

Connect Meshery

Connect your GKE cluster to Meshery. Config Connector CRDs will be automatically discovered.

Example: Deploy Cloud SQL Instance

apiVersion: sql.cnrm.cloud.google.com/v1beta1
kind: SQLInstance
metadata:
  name: my-cloudsql-instance
  namespace: default
spec:
  databaseVersion: POSTGRES_14
  region: us-central1
  settings:
    tier: db-f1-micro
    ipConfiguration:
      ipv4Enabled: true
      authorizedNetworks:
        - name: allow-all
          value: 0.0.0.0/0
---
apiVersion: sql.cnrm.cloud.google.com/v1beta1
kind: SQLDatabase
metadata:
  name: my-database
spec:
  instanceRef:
    name: my-cloudsql-instance
Apply this configuration in Meshery to create a Cloud SQL instance and database.

GCP Components in Kanvas

Search for GCP components in Kanvas:
  • SQLInstance, SQLDatabase, SQLUser
  • StorageBucket
  • ComputeInstance, ComputeDisk
  • PubSubTopic, PubSubSubscription
  • IAMServiceAccount, IAMPolicy

Azure Integration

Meshery integrates with Microsoft Azure through Azure Service Operator (ASO), which provides Kubernetes CRDs for Azure services.

Supported Azure Services

  • Azure Kubernetes Service (AKS): Managed Kubernetes
  • Azure Container Instances: Serverless containers
  • Azure Functions: Serverless functions
  • Virtual Machines: Compute instances

Installation

Prerequisites

  • Azure subscription
  • AKS cluster or Kubernetes cluster with Azure access
  • Azure CLI installed
  • Service Principal or Managed Identity

Setup Azure Service Operator

1

Install ASO

# Install cert-manager (required by ASO)
kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.13.0/cert-manager.yaml

# Install Azure Service Operator
kubectl apply -f https://github.com/Azure/azure-service-operator/releases/download/v2.13.0/azureserviceoperator_v2.13.0.yaml
2

Create Service Principal

az ad sp create-for-rbac --name meshery-aso \
  --role Contributor \
  --scopes /subscriptions/SUBSCRIPTION_ID
Save the output (appId, password, tenant).
3

Create Kubernetes Secret

kubectl create namespace azureserviceoperator-system

kubectl create secret generic azureoperator-secret \
  --namespace azureserviceoperator-system \
  --from-literal=AZURE_SUBSCRIPTION_ID=SUBSCRIPTION_ID \
  --from-literal=AZURE_TENANT_ID=TENANT_ID \
  --from-literal=AZURE_CLIENT_ID=CLIENT_ID \
  --from-literal=AZURE_CLIENT_SECRET=CLIENT_SECRET
4

Connect Meshery

Connect your AKS cluster to Meshery. ASO CRDs will be discovered automatically.

Example: Deploy Azure Storage Account

See the complete tutorial: Deploy Azure Storage Account with Meshery Quick Example: 
apiVersion: resources.azure.com/v1api20200601
kind: ResourceGroup
metadata:
  name: my-resource-group
  namespace: default
spec:
  location: eastus
---
apiVersion: storage.azure.com/v1api20210401
kind: StorageAccount
metadata:
  name: mystorageaccount123
  namespace: default
spec:
  location: eastus
  kind: StorageV2
  sku:
    name: Standard_LRS
  owner:
    name: my-resource-group
Deploy via Meshery Kanvas or apply the YAML directly.

Azure Components in Kanvas

Available Azure components:
  • ResourceGroup
  • StorageAccount, BlobService, FileShare
  • SQLServer, SQLDatabase
  • PostgreSQLServer, PostgreSQLDatabase
  • VirtualNetwork, Subnet, NetworkInterface
  • ManagedCluster (AKS)

Multi-Cloud Patterns

Meshery enables multi-cloud designs:

Example: Multi-Cloud Database Deployment

Create a pattern that deploys databases on all three providers:
  1. AWS RDS: Primary database in us-east-1
  2. GCP Cloud SQL: Read replica in us-central1
  3. Azure SQL Database: Read replica in eastus
  4. Application: Kubernetes Deployment that connects to nearest database
Design this entire architecture in Kanvas and deploy with one click.

Cross-Cloud Relationships

Meshery can model relationships across clouds:
  • Kubernetes Pod → AWS RDS (via Secret)
  • Kubernetes Pod → GCP Cloud Storage (via Service Account)
  • Kubernetes Service → Azure Front Door (via Ingress)

Configuration Examples

AWS Lambda Function Triggered by S3

apiVersion: s3.services.k8s.aws/v1alpha1
kind: Bucket
metadata:
  name: my-uploads-bucket
spec:
  name: my-uploads-bucket-12345
---
apiVersion: lambda.services.k8s.aws/v1alpha1
kind: Function
metadata:
  name: process-upload
spec:
  name: process-upload
  runtime: python3.9
  handler: index.handler
  code:
    zipFile: |
      def handler(event, context):
          print(f"Processing file: {event['Records'][0]['s3']['object']['key']}")
          return {'statusCode': 200}
  role:
    arn: arn:aws:iam::ACCOUNT_ID:role/lambda-execution-role
---
apiVersion: s3.services.k8s.aws/v1alpha1
kind: BucketNotification
metadata:
  name: upload-notification
spec:
  bucket: my-uploads-bucket-12345
  lambdaFunctionConfigurations:
    - events:
        - s3:ObjectCreated:*
      lambdaFunctionARN: arn:aws:lambda:REGION:ACCOUNT_ID:function:process-upload

GCP Pub/Sub with Cloud Function

apiVersion: pubsub.cnrm.cloud.google.com/v1beta1
kind: PubSubTopic
metadata:
  name: events-topic
---
apiVersion: pubsub.cnrm.cloud.google.com/v1beta1
kind: PubSubSubscription
metadata:
  name: events-subscription
spec:
  topicRef:
    name: events-topic
  ackDeadlineSeconds: 20

Best Practices

Never hardcode cloud credentials in YAML. Store them in Kubernetes Secrets and reference them:
spec:
  masterUserPassword:
    name: db-credentials
    key: password
For production databases and storage, enable deletion protection:
spec:
  deletionProtection: true
Store cloud resource definitions in Git alongside Kubernetes manifests. Use CI/CD pipelines to apply changes.
Add tags/labels to cloud resources for cost allocation and management:
spec:
  tags:
    - key: Environment
      value: Production
    - key: ManagedBy
      value: Meshery
Use Kubernetes namespaces to separate environments:
  • production: Production cloud resources
  • staging: Staging resources
  • development: Dev resources

Troubleshooting

Problem: AWS resources not being createdSolutions:
  • Check IAM permissions for the controller service account
  • Review controller logs: kubectl logs -n ack-system deployment/ack-<service>-controller
  • Verify AWS region is correct
  • Check for API rate limiting
Problem: GCP resources failing to createSolutions:
  • Verify Workload Identity is configured correctly
  • Check service account permissions in GCP
  • Review Config Connector logs: kubectl logs -n cnrm-system deployment/cnrm-controller-manager
  • Ensure GCP APIs are enabled for your project
Problem: Azure resources stuck in provisioning stateSolutions:
  • Verify Azure credentials in the secret
  • Check ASO controller logs: kubectl logs -n azureserviceoperator-system deployment/azureserviceoperator-controller-manager
  • Ensure subscription has quota for requested resources
  • Review Azure Activity Log for detailed errors

Next Steps

Kubernetes Integration

Learn about Kubernetes platform integration

Service Meshes

Add service mesh to your cloud infrastructure

Design Patterns

Explore multi-cloud design patterns

Azure Integration

Learn about Azure ASO integration