Cloud Keys¶
Managed cloud credentials for launching instances and accessing resources across the Supercloud.
Overview¶
RosettaHub Cloud Keys (also called RosettaHub Keys) are MetaCloud artifacts that map to cloud provider credentials across AWS, Azure, GCP, Alibaba Cloud, OVH, and OpenStack:
| Provider | Credential Type |
|---|---|
| AWS | IAM Roles (STS federation) |
| Azure | Service Principal |
| GCP | Service Account |
| Alibaba Cloud | RAM Roles (STS federation) |
| OVH | OpenStack Application Credentials |
| OpenStack | Application Credentials |
For AWS and Alibaba Cloud, RosettaHub provisions keys based on IAM Roles with STS federation -- not IAM users. Users assume roles into their sandboxed sub-accounts, and RosettaHub manages the temporary credentials automatically. Users can also create keys from existing IAM user access keys if needed.
Each Cloud Key is scoped to a specific cloud region. When a Cloud Key is provisioned, RosettaHub automatically creates a dedicated VPC in that region, so all instances launched with the key run inside an isolated, platform-managed network. RosettaHub automatically creates a Cloud Key for each cloud region that a user is allowed to access, subject to the cloud operations governance policies set by your organization.
Cloud Keys are the root of artifact dependencies
Cloud Keys are the foundation of the MetaCloud. Formations, images, storages, and other artifacts are linked to the Cloud Key that created or retrieved them. If a Cloud Key is deleted, all MetaCloud artifacts associated with that key are removed from RosettaHub -- including formations, images, storages, and snapshots -- along with all their sharing relationships on the platform. The underlying cloud resources (S3 buckets, EC2 instances, EBS volumes, etc.) are not deleted from the cloud provider. However, the RosettaHub representations and any sharing/collaboration built around those artifacts are lost.
Multiple MetaCloud artifacts can map to the same cloud resource
The MetaCloud does not enforce a one-to-one mapping. Multiple Cloud Keys can reference the same underlying cloud account, and multiple storage artifacts can point to different folders within the same bucket. This lets teams create focused, scoped views of shared cloud infrastructure.
Key Features¶
Automatic Provisioning¶
When your account is created, RosettaHub automatically provisions Cloud Keys for each region you're authorized to use. No manual credential management required.
Built-in Restrictions¶
Cloud Keys come with security restrictions aligned to your permissions:
| Restriction | Description |
|---|---|
| On-Demand Instance Types | Limited to types assigned to your user permissions |
| Spot Instance Types | Most instance types are allowed |
| Dedicated VPC | RosettaHub automatically creates a VPC per key -- all instances run in this isolated, platform-managed network |
| Region Lock | Instances run only in the key's associated region |
Secure Storage¶
- Private keys are generated and stored securely by RosettaHub
- Retrieve credentials anytime from the console
- Access is managed through RosettaHub's permission system
Deletion: Platform vs Cloud¶
RosettaHub distinguishes between two types of deletion across all MetaCloud artifacts:
| Type | What Happens |
|---|---|
| Delete (platform) | Removes the RosettaHub artifact and its sharing relationships. The underlying cloud resource (bucket, volume, instance, etc.) is not deleted from the cloud provider. |
| Delete (cloud) | Removes both the RosettaHub artifact and the underlying cloud resource. This is irreversible. |
A single cloud resource can have multiple MetaCloud artifacts pointing to it (e.g., multiple storage artifacts referencing different folders in the same S3 bucket). Deleting one MetaCloud artifact does not affect others that reference the same cloud resource.
Cloud Key Actions¶
Core Actions¶
| Action | Description |
|---|---|
| Create | Create keys from IAM user access keys, Azure service principal, or GCP service account |
| Launch | One-click launch of machine instances or clusters using your keys |
| Delete | Remove the key and all associated MetaCloud artifacts from RosettaHub (cloud resources are preserved) |
Storage Retrieval¶
Map your cloud storage resources to RosettaHub:
| Action | Description |
|---|---|
| Retrieve Object Storages | Map S3 buckets, Azure Blob containers, GCS buckets |
| Retrieve File Storages | Map EFS, Azure Files, Cloud Filestore |
| Retrieve Block Storages | Map EBS volumes, Azure Disks, Persistent Disks |
| Retrieve Snapshots | Map block storage snapshots |
Sharing Actions¶
| Action | Description |
|---|---|
| Share | Grant access to users, groups, or organizations |
| Publish | List on the RosettaHub Marketplace (must share with "hub" first) |
Working with Cloud Keys¶
Viewing Your Keys¶
- Open the Keys panel from the sidebar
- View all available Cloud Keys organized by provider and region
- Click a key to see details including:
- Associated cloud account
- Region and auto-created VPC
- Allowed instance types
- Creation date
Launching with Keys¶
- Select a Cloud Key
- Click Launch or right-click for context menu
- Configure your instance:
- Instance type (from allowed list)
- Machine image
- Additional options
- Deploy with one click
Creating Custom Keys¶
To create keys from existing cloud credentials:
- Select your cloud account or use Create action
- Choose Create Keys from IAM User (AWS) or equivalent
- Provide the required credentials
- RosettaHub provisions the key with appropriate restrictions
Retrieving Storage¶
Sync your cloud storage resources:
- Select a Cloud Key
- Choose the appropriate retrieve action:
- Retrieve Object Storages for bucket storage
- Retrieve File Storages for network file systems
- Retrieve Block Storages for disk volumes
- RosettaHub maps the storage to your account
Best Practices¶
Key Management
- Use separate keys for different projects or environments
- Review and clean up unused keys periodically
- Don't share keys more broadly than necessary
Security
- Store private keys securely (e.g., encrypted storage)
- Set appropriate file permissions (
chmod 600on Linux/Mac) - Rotate keys periodically for sensitive workloads
Organization
- Use descriptive labels that indicate purpose and region
- Document which formations use which keys
- Coordinate key sharing within your team
Related Topics¶
- MetaCloud Overview - The compute layer of the Supercloud
- Formations - Deploy resources using Cloud Keys
- Cloud Accounts - Manage cloud provider connections
- Images - Machine images for launching instances