Skip to content

AWS Enterprise Installation

Sextant is Kubernetes-native. In other words, one installs Sextant into a Kubernetes cluster.

AWS Subscription

These instructions assume that you have successfully subscribed to the Sextant Enterprise Edition on the AWS Marketplace.


You will need the up-to-date versions of the following tools installed:

Create EKS Cluster

First create an Amazon EKS cluster by using the following command substituting <CLUSTER_NAME> and <REGION_NAME> with a cluster name and region name of your choice:

eksctl create cluster \
  --name <CLUSTER_NAME> \
  --region <REGION_NAME> \
  --node-type m5.large \
  --nodes 4 \
  --with-oidc \


By specifying 4 nodes this cluster can also be added to Sextant as a target cluster for Sawtooth or Besu deployments. However you are also free to use an existing EKS cluster.

Create a Service Account

Sextant requires a service account with an IAM role to enable access to the appropriate Amazon Marketplace metering API. In this instance the policy required is AWSMarketplaceMeteringRegisterUsage.

Step 1 (Optional)

If your Amazon EKS cluster has not been created with IAM OIDC provider by, for example, using the --with-oidc option with eksctl, enable it with:

eksctl utils associate-iam-oidc-provider \
  --name <CLUSTER_NAME> \
  --region <REGION_NAME> \

Step 2: Create Namespace

Create namespace sextant for Sextant and switch to this -

kubectl create namespace sextant
kubectl config set-context --current --namespace=sextant

Step 3: Create Service Account

Next we create a service account sextant-aws-enterprise using eksctl and attach the policy using its Amazon Resource Name (ARN):

eksctl create iamserviceaccount \
--cluster=<CLUSTER_NAME> \
--region=<REGION_NAME> \
--namespace=sextant \
--name=sextant-aws-enterprise \
--attach-policy-arn="arn:aws:iam::aws:policy/AWSMarketplaceMeteringRegisterUsage" \
--override-existing-serviceaccounts \


If you encounter an error creating (or updating) this service account then you need to delete it using eksctl delete iamserviceaccount ...:

Install Sextant

Step 1: Create values.yaml

Create a values.yaml file that tells helm to specify the service account sextant-aws-enterprise that we have just created when deploying Sextant:

edition: aws-enterprise
  create: false
  name: sextant-aws-enterprise
    enabled: true


By enabling persistence in the example above you will ensure that state is preserved even if you restart or delete/reinstall Sextant with the same name in the same namespace.

Step 2: Add or Update BTP Helm Charts Repo

Add the BTP helm charts repo:

helm repo add btp-stable

Note that if you have done this previously you should make sure you have the most up-to-date BTP helm charts repo using this command:

helm repo update

Step 3: Deploy Sextant

Then run this helm command to install Sextant:

helm install -f values.yaml sextant btp-stable/sextant

The output should look something like this:

NAME: sextant
LAST DEPLOYED: Mon Jan  3 14:32:33 2022
NAMESPACE: sextant
STATUS: deployed
1. Get the initial Sextant application username and password by running this command
  kubectl describe pod/sextant-0 --namespace sextant-aws | grep INITIAL_

2. Get the application URL by running these commands:
  export POD_NAME=$(kubectl get pods -l "" -o jsonpath="{.items[0]}")
  echo "Visit to use your application"
  kubectl port-forward $POD_NAME 8080:80

Save Admin Credentials

Obtain the initial Sextant application username and password by running this command:

kubectl describe pod/sextant-0 | grep INITIAL_

Make a note of the username and password for admin access to Sextant. You will need these to log in to Sextant.


These details will persist even if you restart or delete/reinstall Sextant with the same name in the same namespace since we enabled postgres persistence.

Set up Access to Sextant

Follow these instructions to set up access to Sextant either via portforward or a more permanent solution such as a load balancer or an ingress controller.

Log in to Sextant

Once you have set up access to Sextant then you can log in using your saved username and password and start using it yourself or set up user access for members of your team.

Instructions on how to do this can be found here.