Create a Deployment Credential
The deployment credential gives VeloDB access to launch compute resources in your AWS account. This step requires you to create a cross-account IAM role with an access policy.
Prerequisites
You have created a Data Credential and obtained the bucket name and the ARN of the service IAM role in the Data Credential section.
Step 1: Create an IAM Policy
To finely control cross-account access permissions, you need to prepare an IAM policy first for a cross-account IAM role. Below are the detailed steps.
-
Log into the AWS IAM Console (opens in a new tab) as a user with administrator privileges.
-
Click the Policies tab in the sidebar.
-
Click the Create policy button.
-
In the policy editor, click the JSON tab.
-
Copy and paste the following access policy into the editor. Then, replace the placeholders in the policy with their actual values.
-
<YOUR-AWS-ACCOUNT-ID>: Your AWS account ID. -
<YOUR-BUCKET-NAME>: The S3 bucket name prepared in the Data Credential section. -
<YOUR-ROLE-NAME>: The service IAM role name created in the Data Credential section.
NOTE During the VeloDB warehouse creation wizard, after you complete the Data Credential section and proceed to setup Deployment Credential, the console automatically generates a ready-to-use access policy. You can directly copy and paste this policy into the IAM policy editor without any modifications or manual placeholder replacements.
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "ec2:TerminateInstances", "ec2:StopInstances", "ec2:StartInstances", "ec2:RebootInstances", "ec2:ModifyInstanceAttribute", "ec2:ModifyVolume" ], "Resource":[ "arn:aws:ec2:*:*:volume/*", "arn:aws:ec2:*:*:instance/*" ], "Condition":{ "StringEquals":{ "aws:ResourceTag/resource-created-by":"velodb" } } }, { "Effect":"Allow", "Action":[ "ec2:DescribeVpcs", "ec2:DescribeSubnets", "ec2:DescribeAccountAttributes", "ec2:DescribeAddresses", "ec2:DescribeNatGateways", "ec2:DescribeInternetGateways", "ec2:DescribeInstances", "ec2:DescribeSecurityGroups", "ec2:DescribeSecurityGroupRules", "ec2:DescribeAvailabilityZones", "ec2:DescribeInstanceTypes", "ec2:ModifyInstanceAttribute", "ec2:DescribeVolumes", "ec2:DescribeImages", "ec2:DescribeVpcEndpoints", "ec2:DescribePrefixLists", "ec2:DescribeRouteTables", "ec2:DescribeTags", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeListeners", "elasticloadbalancing:DescribeLoadBalancerAttributes", "elasticloadbalancing:DescribeTargetGroupAttributes", "elasticloadbalancing:DescribeTags", "elasticloadbalancing:DescribeTargetHealth", "elasticloadbalancing:DescribeTargetGroups", "iam:GetPolicy", "iam:GetPolicyVersion" ], "Resource":[ "*" ] }, { "Effect":"Allow", "Action":[ "ec2:RunInstances", "ec2:CreateTags" ], "Resource":[ "arn:aws:ec2:*:*:volume/*", "arn:aws:ec2:*:*:instance/*", "arn:aws:ec2:*:*:network-interface/*" ], "Condition":{ "StringEquals":{ "aws:RequestTag/resource-created-by":"velodb" } } }, { "Effect":"Allow", "Action":[ "ec2:RunInstances" ], "Resource":[ "arn:aws:ec2:*:*:image/*", "arn:aws:ec2:*:*:security-group/*", "arn:aws:ec2:*:*:subnet/*" ] }, { "Effect":"Allow", "Action":[ "ec2:CreateTags", "ec2:DeleteTags" ], "Resource":[ "arn:aws:ec2:*:*:instance/*", "arn:aws:ec2:*:*:volume/*", "arn:aws:ec2:*:*:network-interface/*" ], "Condition":{ "StringEquals":{ "ec2:ResourceTag/resource-created-by":"velodb" } } }, { "Effect":"Allow", "Action":[ "elasticloadbalancing:CreateListener", "elasticloadbalancing:CreateLoadBalancer", "elasticloadbalancing:CreateTargetGroup" ], "Resource":[ "arn:aws:elasticloadbalancing:*:*:targetgroup/*", "arn:aws:elasticloadbalancing:*:*:loadbalancer/*", "arn:aws:elasticloadbalancing:*:*:listener/*" ], "Condition":{ "StringEquals":{ "aws:RequestTag/resource-created-by":"velodb" } } }, { "Effect":"Allow", "Action":[ "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:DeleteLoadBalancer", "elasticloadbalancing:ModifyTargetGroupAttributes", "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:DeleteTargetGroup", "elasticloadbalancing:ModifyLoadBalancerAttributes", "elasticloadbalancing:DeleteListener" ], "Resource":[ "arn:aws:elasticloadbalancing:*:*:targetgroup/*", "arn:aws:elasticloadbalancing:*:*:loadbalancer/*", "arn:aws:elasticloadbalancing:*:*:listener/*" ], "Condition":{ "StringEquals":{ "elasticloadbalancing:ResourceTag/resource-created-by":"velodb" } } }, { "Effect":"Allow", "Action":[ "elasticloadbalancing:AddTags", "elasticloadbalancing:RemoveTags" ], "Resource":[ "arn:aws:elasticloadbalancing:*:*:*" ], "Condition":{ "StringEquals":{ "elasticloadbalancing:ResourceTag/resource-created-by":"velodb" } } }, { "Effect":"Allow", "Action":[ "s3:GetBucketLocation", "s3:GetBucketVersioning", "s3:GetBucketPublicAccessBlock", "s3:GetLifecycleConfiguration", "s3:PutLifecycleConfiguration", "s3:ListBucket" ], "Resource":[ "arn:aws:s3:::<YOUR-BUCKET-NAME>" ] }, { "Effect":"Allow", "Action":[ "iam:GetInstanceProfile", "iam:GetRole", "iam:GetRolePolicy", "iam:ListRolePolicies", "iam:ListAttachedRolePolicies" ], "Resource":[ "arn:aws:iam::<YOUR-AWS-ACCOUNT-ID>:instance-profile/<YOUR-ROLE-NAME>", "arn:aws:iam::<YOUR-AWS-ACCOUNT-ID>:role/<YOUR-ROLE-NAME>" ] }, { "Effect":"Allow", "Action":[ "iam:PassRole" ], "Resource":[ "arn:aws:iam::<YOUR-AWS-ACCOUNT-ID>:role/<YOUR-ROLE-NAME>" ], "Condition":{ "StringEquals":{ "iam:PassedToService":"ec2.amazonaws.com" } } }, { "Effect":"Allow", "Action":[ "iam:CreateServiceLinkedRole" ], "Resource":[ "arn:aws:iam::*:role/aws-service-role/elasticloadbalancing.amazonaws.com/AWSServiceRoleForElasticLoadBalancing" ], "Condition":{ "StringEquals":{ "iam:AWSServiceName":"elasticloadbalancing.amazonaws.com" } } } ] } -
-
Click the Next button.
-
In the Name field, enter a policy name. (e.g. AllowVeloDBCrossAccountAccess)
-
Click Create policy.
Step 2: Create across-account IAM Role
- Return to the AWS IAM console.
- Click the Roles tab in the sidebar.
- Click Create role.
- Trusted Entity Type: select AWS account.
- Select Another AWS account.
- In the Account ID field, enter the VeloDB account ID: 757278738533.
- In the External ID field, enter your VeloDB external id, which you copied from the VeloDB console.
- In the Add permissions step, select the policy that created in Step 1.
- Click the Next button.
- Enter a role name. (such as: AllowVeloDBCrossAccountAccess)
- Click Create role.
- In the role summary, copy the Role ARN to add to VeloDB console.