Multi-Region and Multi-Account Setup
Onehouse projects are scoped to a single cloud region and account, but many platform features extend across regions and accounts. This page summarizes what is self-serve, what requires a support ticket, and which networking and IAM pieces you need to have in place.
Adding a new region to an existing account
Adding a new cloud region requires support intervention today. Onehouse provisions per-region VPC endpoints in its control plane and whitelists the region for your account.
To request a new region:
- Open a support ticket with the desired region, your AWS account or GCP project ID, and any networking constraints (custom CIDR ranges, required VPC endpoints).
- Onehouse provisions the region. Control-plane updates may take up to 24 hours to propagate.
- Once provisioning completes, create projects in the new region from the Onehouse console as you would in any existing region.
If a region appears in your account but is missing from the dropdowns when creating a catalog or lake, contact support — region enablement is per-resource-type and can occasionally regress after platform updates.
Cross-account AWS Secrets Manager access
Onehouse jobs and Flows running in your data-plane account can read secrets stored in a different AWS account if all four of the following are configured:
- The secret uses a customer-managed KMS key, not the AWS-managed
aws/secretsmanagerkey. Cross-account decryption is not possible with AWS-managed keys. - A resource policy on the secret grants
secretsmanager:GetSecretValueto the Onehouse node role. - A KMS key policy on the customer-managed key grants
kms:Decryptandkms:DescribeKeyto the Onehouse node role. - An IAM policy on the Onehouse node role allows
secretsmanager:GetSecretValueon the cross-account secret ARN andkms:Decrypton the KMS key ARN.
If any of these are missing, secret reads fail at runtime — typically surfacing as Provisioning stuck on a Flow that references the secret. Contact Onehouse support for the current Onehouse node role ARN to populate the resource policies.
Cross-project GCP data access
Data location is configured at the Flow level (via the destination lake and database), not at the cluster level. To write to a GCS bucket in a different GCP project than your data-plane:
- Grant the Onehouse service account (
onehouse-gke-node-sa-...) the Storage Object Creator role in the target project. - Create the destination lake in the target project from the Onehouse console.
- Reference the new lake when creating the Flow. No cluster changes are required — any cluster in your data-plane account can write to any project where the service account has access.
Monitoring across regions
Most observability integrations require per-region setup today. The table below summarizes what is self-serve vs. support-assisted:
| Integration | Self-serve in new region? | Notes |
|---|---|---|
| Datadog metrics | No | Open a support ticket with your API key per region. The API key secret must use AWS default encryption (not a custom KMS key) so the Datadog agent can decrypt it. |
| AWS CloudWatch | Yes (automatic) | Onehouse emits cluster metrics to namespaces OneHouseClusterInsightsV2 and OneHouseClusterInsightsV3 in every region without additional configuration. |
| Grafana / Prometheus | No | If the Prometheus datasource is missing in a new region's Grafana, contact support with your project ID and region. |
| Honeycomb | No | Contact support to enable per region; metrics are emitted with region labels. Self-serve via Terraform is planned. |
AWS resource tagging for compliance
Onehouse applies a default tag set to AWS resources it provisions: Name, Owner, Service, ManagedBy, OrganizationId. If your organization requires additional tags for SCP policies or FinOps tracking (Application, Environment, ProductCategory, etc.):
- Provide the required tag set during onboarding, or open a support ticket to update an existing data-plane.
- Tags propagate to EC2 instances, EKS clusters, load balancers, and storage automatically.
- Karpenter-provisioned nodes do not inherit custom tags automatically. If you need tags on Karpenter nodes, request the change through support.
Private Link and VPC endpoint configuration
Private Link setup is region-specific. If a Terraform apply fails with VpcEndpointService does not exist for a region you just enabled:
- Verify the VPC endpoint service name matches the region — names differ across AWS regions.
- Confirm the region is enabled for your account (see Adding a new region above).
- Open a support ticket if the endpoint service is missing entirely — some regions require explicit whitelisting in the Onehouse control plane.