AWS Preparation
This article mainly introduces the AWS operations involved in creating a BYOC type warehouse, including creating an IAM user and authorizing it, creating a VPC and subnet, and understanding resource orchestration and resource stacks.
Prepare an IAM user and authorize it
Before creating a BYOC warehouse, you need to prepare an AWS IAM user with relevant permissions.
During the BYOC deployment, the page will redirect to AWS. You need to use this user to log in to the AWS management console and create a resource stack in CloudFormation.
If you already have an AWS user with the Administrator role, you can skip creating a policy and an IAM user.
Otherwise, please send this document to your AWS administrator and ask the administrator to create an IAM user for you and authorize it according to this document.
The administrator accesses the AWS Identity and Access Management(IAM) (opens in a new tab) console and performs the following operations:
Create a policy
When creating a VeloDB Cloud BYOC type warehouse, you need to execute the resource stack template through the resource orchestration service (CloudFormation), which will create cloud resources such as EC2, VPC, S3, or perform related operations, so a series of IAM permissions are required.
Click Access Management > Policies on the left to enter the permission policy management page and click Create Policy
Switch to JSON mode, clear the original text box, copy the following script, and enter the text box. For detailed permission descriptions, see the Permission Description of Resource Stack Template Dependencies section below.
{
"Version": "2012-10-17",
"Statement": [
{
"Condition": {
"StringEquals": {
"aws:ResourceTag/resource-created-by": [
"selectdb"
]
}
},
"Action": [
"ec2:TerminateInstances",
"ec2:StopInstances",
"ec2:StartInstances",
"ec2:RebootInstances",
"ec2:ModifyInstanceAttribute",
"ec2:DescribeSecurityGroupRules",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:RevokeSecurityGroupIngress",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:RevokeSecurityGroupEgress",
"ec2:DeleteSecurityGroup",
"ec2:GetEbsEncryptionByDefault",
"ec2:GetEbsDefaultKmsKeyId"
],
"Resource": [
"arn:aws:ec2:*:*:*"
],
"Effect": "Allow"
},
{
"Action": [
"ec2:DescribeVpcs",
"ec2:DescribeSubnets",
"ec2:DescribeAccountAttributes",
"ec2:DescribeAddresses",
"ec2:DescribeInternetGateways",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeInstanceTypes",
"ec2:DescribeVolumes",
"ec2:ModifyVolume",
"ec2:DescribeImages",
"ec2:DescribeSecurityGroups",
"ec2:DescribeInstances",
"ec2:RunInstances",
"ec2:CreateSecurityGroup",
"ec2:DescribeTags",
"ec2:CreateTags",
"ec2:DeleteTags",
"ec2:*VpcEndpoint*",
"compute-optimizer:GetEnrollmentStatus",
"elasticloadbalancing:*",
"s3:CreateBucket"
],
"Resource": [
"*"
],
"Effect": "Allow"
},
{
"Action": [
"s3:Get*",
"s3:List*",
"s3:Put*",
"s3:Delete*"
],
"Resource": [
"arn:aws:s3:::velodb-bucket-*"
],
"Effect": "Allow"
},
{
"Action": [
"sts:GetCallerIdentity",
"sts:AssumeRole",
"iam:GetUser",
"iam:TagUser",
"iam:CreateUser",
"iam:DeleteUser",
"iam:ListAccessKeys",
"iam:CreateAccessKey",
"iam:DeleteAccessKey",
"iam:GetRole",
"iam:TagRole",
"iam:ListRoles",
"iam:CreateRole",
"iam:DeleteRole",
"iam:CreatePolicy",
"iam:GetUserPolicy",
"iam:PutUserPolicy",
"iam:GetRolePolicy",
"iam:PutRolePolicy",
"iam:DeleteUserPolicy",
"iam:DeleteRolePolicy",
"iam:GetInstanceProfile",
"iam:CreateInstanceProfile",
"iam:AddRoleToInstanceProfile",
"iam:RemoveRoleFromInstanceProfile",
"iam:DeleteInstanceProfile"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Condition": {
"StringEquals": {
"iam:PassedToService": [
"ec2.amazonaws.com",
"lambda.amazonaws.com"
]
}
},
"Action": [
"iam:PassRole"
],
"Resource": "arn:aws:iam::*:role/velodb-*",
"Effect": "Allow"
},
{
"Action": [
"cloudformation:*"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"lambda:GetFunction",
"lambda:CreateFunction",
"lambda:DeleteFunction",
"lambda:InvokeFunction",
"lambda:TagResource"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"iam:CreateServiceLinkedRole"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:AWSServiceName": "elasticloadbalancing.amazonaws.com"
}
},
"Effect": "Allow"
}
]
}
Click Next, enter a name, and click OK to complete the creation of the permission policy.
Create an IAM user and authorize it
Notice: If you already have an IAM user, you can skip the creation step and authorize it directly.
Click Access Management > User on the left, enter the User Management page, click Create User, enter relevant information, and click Next.
Select the policy created in the above steps, click Next, click Create User, and complete the creation.
Create an IAM user group and authorize (optional)
If there are multiple people in the enterprise using VeloDB Cloud, you can create an IAM user group, add relevant people to the user group, and authorize them uniformly.
Click Access Management > User Groups on the left to enter the User Group Management page, click Create group, enter User group name, select the User name and Policy name to be added, and click Create user group to complete the creation.
Prepare a VPC and subnet
Before creating a BYOC type warehouse, you need to use the above IAM user to create a VPC and subnet in advance. The following are the specific operations.
Notice: If you already have a VPC and subnet, you can skip the creation step
Open the Amazon Web Services VPC (opens in a new tab) console and switch to the region where you want to deploy the BYOC warehouse.
Create VPC
Click Create VPC to enter the VPC creation page.
Select VPC only, enter the name tag, input IPv4 CDR, click Create VPC to complete the creation.
Create subnet
Click Subnets > Create subnet on the left to enter the subnet creation page.
Select the VPC created in the above steps, enter the subnet name, IPv4 subnet CIDR block, click Create Subnet, and complete the creation.
Note: The regions and availability zones currently supported are:
| Cloud Platform | Region Name | Region ID | Availability Zone ID |
|---|---|---|---|
| AWS | US East (N. Virginia) | us-east-1 | use1-az2 |
| AWS | US West (Oregon) | us-west-2 | usw2-az1 |
| AWS | Europe (Ireland) | eu-west-1 | euw1-az1 |
| AWS | Asia Pacific (Singapore) | ap-southeast-1 | apse1-az1 |
Learn about Resource Orchestration and Resource Stack
Note: You don't need to do anything in this chapter. If you want to learn more about how it works, you can continue reading.
When a user creates a BYOC type warehouse, the Agent will be automatically deployed with the help of the cloud vendor's resource orchestration service to complete the private connection between the Agent and the VeloDB Cloud platform, and then the Agent will be responsible for the deployment and management of the BYOC warehouse.
Resource Orchestration Template Description
The resource orchestration template provided by VeloDB runs under your cloud account, and the template code is visible and auditable, and will not operate on your data and other environments in the VPC. You can get the resource orchestration template provided by VeloDB through the following link:
https://selectdb-cloud-online.s3.us-west-1.amazonaws.com/public/aws-byoc.yamlWhen you execute the above resource template through AWS CloudFormation, it will automatically create and deploy the Agent. Then the Agent will establish a private connection with VeloDB Cloud and complete the warehouse initialization process.
After the resource orchestration script is executed, you can enter the corresponding warehouse from the VeloDB Cloud platform and start creating a computing cluster for data analysis just like using a normal warehouse.
How to view resource stack information
You can view all resources created through the CloudFormation interface's Resources tab, and view specific resources by resource name:
- EC2
- Name: VeloDBAgent (EC2)
- Purpose: Used to deploy Agent, Prometheus, FluentBit and other programs
- VPC Endpoint
- VeloDBEndpoint: Establishes private network connection with VeloDB Manage service to pull control instructions and enable one-way push of monitoring and logs
- VeloDBEC2VPCEndpoint: Establishes private network connection with AWS EC2 service for use in restricted network environments
- VeloDBELBVPCEndpoint: Establishes private network connection with AWS ELB service for use in restricted network environments
- S3 Bucket
- Name: VeloDBBucket (S3 Bucket)
- Purpose: Used to store data warehouse data
- SecurityGroup
- Name: VeloDBSecurityGroup (VPC SecurityGroup)
- Purpose: Binds to endpoints and EC2 instances, and restricts traffic through security group rules (allows all traffic from the same security group to access all ports, traffic from the same subnet to access port 8666, and allows all outbound traffic)
- IAM User / IAM Role
- Names:
- VeloDBUser (iam-user), VeloDBAkSk (iam-user aksk), VeloDBUserPolicy (iam-user permissions)
- VeloDBControlPanelRole (iam-role), VeloDBControlPanelRolePolicy (iam-role permissions)
- VeloDBDataAccessRole (iam-role), VeloDBDataAccessRolePolicy (iam-role permissions)
- Purposes:
- The created sub-user has minimum permissions required by Agent, and all subsequent control operations will use this sub-user's identity (All sub-user information will only be used within user's VPC and will not be leaked)
- Bound to EC2 instances to obtain temporary AkSk for authentication, which is more secure than using permanent AkSk. One for control panel use (bound to Agent), one for kernel side use (bound to MS/FE/BE)
- Names:
- Lambda Function
- Names:
- CustomFunction* (Lambda Function logic), SubnetQuery* (Lambda Function execution request)
- CustomResourceRole (temporary role for executing Lambda Function)
- Purpose: Lambda Function is used to implement logic that is available in Python SDK but not in CF templates. For this template, it mainly includes:
- Check and enable the PrivateDnsEnabled option for the selected VPC
- Create S3 endpoint. This logic requires access to the related RouteTable under the Subnet, which cannot be implemented due to CF template syntax limitations
- Get lowercase S3 bucket name, as Amazon S3 does not allow uppercase letters in bucket names
- Get the CidrBlock of the user-selected subnet, used to set the source IP range for security groups
- Names:
Permissions description of resource stack template dependencies
When executing a resource stack template through the resource orchestration service (CloudFormation) under your cloud account, cloud resources such as EC2, VPC, S3, etc. will be created or related operations will be performed, so a series of IAM permissions are required. Before formal execution, please ensure that the user executing this template has the corresponding permissions, otherwise the template execution may fail.
Note The execution process of the resource stack template is completely carried out under your cloud account, and the created resources also belong to your cloud account. VeloDB will not obtain your cloud account information, nor can it use the corresponding IAM permissions of the account.
The following are the permissions required based on the resources and operations defined in the template:
- Permission summary:
{
"Version": "2012-10-17",
"Statement": [
{
"Condition": {
"StringEquals": {
"aws:ResourceTag/resource-created-by": [
"selectdb"
]
}
},
"Action": [
"ec2:TerminateInstances",
"ec2:StopInstances",
"ec2:StartInstances",
"ec2:RebootInstances",
"ec2:ModifyInstanceAttribute",
"ec2:DescribeSecurityGroupRules",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:RevokeSecurityGroupIngress",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:RevokeSecurityGroupEgress",
"ec2:DeleteSecurityGroup",
"ec2:GetEbsEncryptionByDefault",
"ec2:GetEbsDefaultKmsKeyId"
],
"Resource": [
"arn:aws:ec2:*:*:*"
],
"Effect": "Allow"
},
{
"Action": [
"ec2:DescribeVpcs",
"ec2:DescribeSubnets",
"ec2:DescribeAccountAttributes",
"ec2:DescribeAddresses",
"ec2:DescribeInternetGateways",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeInstanceTypes",
"ec2:DescribeVolumes",
"ec2:ModifyVolume",
"ec2:DescribeImages",
"ec2:DescribeSecurityGroups",
"ec2:DescribeInstances",
"ec2:RunInstances",
"ec2:CreateSecurityGroup",
"ec2:DescribeTags",
"ec2:CreateTags",
"ec2:DeleteTags",
"ec2:*VpcEndpoint*",
"compute-optimizer:GetEnrollmentStatus",
"elasticloadbalancing:*",
"s3:CreateBucket"
],
"Resource": [
"*"
],
"Effect": "Allow"
},
{
"Action": [
"s3:Get*",
"s3:List*",
"s3:Put*",
"s3:Delete*"
],
"Resource": [
"arn:aws:s3:::velodb-bucket-*"
],
"Effect": "Allow"
},
{
"Action": [
"sts:GetCallerIdentity",
"sts:AssumeRole",
"iam:GetUser",
"iam:TagUser",
"iam:CreateUser",
"iam:DeleteUser",
"iam:ListAccessKeys",
"iam:CreateAccessKey",
"iam:DeleteAccessKey",
"iam:GetRole",
"iam:TagRole",
"iam:ListRoles",
"iam:CreateRole",
"iam:DeleteRole",
"iam:CreatePolicy",
"iam:GetUserPolicy",
"iam:PutUserPolicy",
"iam:GetRolePolicy",
"iam:PutRolePolicy",
"iam:DeleteUserPolicy",
"iam:DeleteRolePolicy",
"iam:GetInstanceProfile",
"iam:CreateInstanceProfile",
"iam:AddRoleToInstanceProfile",
"iam:RemoveRoleFromInstanceProfile",
"iam:DeleteInstanceProfile"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Condition": {
"StringEquals": {
"iam:PassedToService": [
"ec2.amazonaws.com",
"lambda.amazonaws.com"
]
}
},
"Action": [
"iam:PassRole"
],
"Resource": "arn:aws:iam::*:role/velodb-*",
"Effect": "Allow"
},
{
"Action": [
"cloudformation:*"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"lambda:GetFunction",
"lambda:CreateFunction",
"lambda:DeleteFunction",
"lambda:InvokeFunction",
"lambda:TagResource"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"iam:CreateServiceLinkedRole"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:AWSServiceName": "elasticloadbalancing.amazonaws.com"
}
},
"Effect": "Allow"
}
]
}-
EC2 & VPC permissions:
- Manage EC2 and security groups
{ "Condition": { "StringEquals": { "aws:ResourceTag/resource-created-by": [ "selectdb" ] } }, "Action": [ "ec2:TerminateInstances", "ec2:StopInstances", "ec2:StartInstances", "ec2:RebootInstances", "ec2:ModifyInstanceAttribute", "ec2:DescribeSecurityGroupRules", "ec2:AuthorizeSecurityGroupIngress", "ec2:RevokeSecurityGroupIngress", "ec2:AuthorizeSecurityGroupEgress", "ec2:RevokeSecurityGroupEgress", "ec2:DeleteSecurityGroup", "ec2:GetEbsEncryptionByDefault", "ec2:GetEbsDefaultKmsKeyId" ], "Resource": [ "arn:aws:ec2:*:*:*" ], "Effect": "Allow" }- Get VPC related resource information
{ "Action": [ "ec2:DescribeVpcs", "ec2:DescribeSubnets", "ec2:DescribeAccountAttributes", "ec2:DescribeAddresses", "ec2:DescribeInternetGateways", "ec2:DescribeInstances", "ec2:DescribeAvailabilityZones", "ec2:DescribeInstanceTypes", "ec2:DescribeVolumes", "ec2:ModifyVolume", "ec2:DescribeImages", "ec2:RunInstances", "ec2:CreateSecurityGroup", "ec2:DescribeTags", "ec2:CreateTags", "ec2:DeleteTags", "compute-optimizer:GetEnrollmentStatus", ], "Resource": "*", "Effect": "Allow" }, -
ELB permissions:
- Manage Elastic Load Balancer (ELB) resources
elasticloadbalancing:* -
S3 permissions:
- Manage S3 buckets and perform read/write operations on buckets and their contents (for specific buckets)
{ "Action": [ "s3:CreateBucket" ], "Resource": [ "*" ], "Effect": "Allow" }, { "Action": [ "s3:Get*", "s3:List*", "s3:Put*", "s3:Delete*" ], "Resource": [ "arn:aws:s3:::velodb-bucket-*" ], "Effect": "Allow" }, -
IAM & STS & Lambda permissions:
- IAM and STS services
{ "Action": [ "sts:GetCallerIdentity", "sts:AssumeRole", "iam:GetUser", "iam:TagUser", "iam:CreateUser", "iam:DeleteUser", "iam:ListAccessKeys", "iam:CreateAccessKey", "iam:DeleteAccessKey", "iam:GetRole", "iam:TagRole", "iam:ListRoles", "iam:CreateRole", "iam:DeleteRole", "iam:CreatePolicy", "iam:GetUserPolicy", "iam:PutUserPolicy", "iam:GetRolePolicy", "iam:PutRolePolicy", "iam:DeleteUserPolicy", "iam:DeleteRolePolicy", "iam:GetInstanceProfile", "iam:CreateInstanceProfile", "iam:AddRoleToInstanceProfile", "iam:RemoveRoleFromInstanceProfile", "iam:DeleteInstanceProfile" ], "Resource": "*", "Effect": "Allow" },- Lambda service
{ "Action": [ "lambda:GetFunction", "lambda:CreateFunction", "lambda:DeleteFunction", "lambda:InvokeFunction", "lambda:TagResource" ], "Resource": "*", "Effect": "Allow" },- ELB service-associated role related
{ "Action": [ "iam:CreateServiceLinkedRole" ], "Resource": "*", "Condition": { "StringEquals": { "iam:AWSServiceName": "elasticloadbalancing.amazonaws.com" } }, "Effect": "Allow" } -
CloudFormation permissions:
{ "Action": [ "cloudformation:*" ], "Resource": "*", "Effect": "Allow" },
Permissions of sub-users created by resource stack templates
After the resource stack template is executed for the first time, a sub-user will be created for subsequent management of data warehouse related components in your VPC. The following is a description of the permissions of the sub-user.
Note The created sub-user belongs to your cloud account and is only used in your VPC and will not be leaked.
The specific permissions are divided as follows:
-
EC2 & VPC permissions:
- Manage EC2 and security groups
{ "Condition": { "StringEquals": { "aws:ResourceTag/resource-created-by": [ "selectdb" ] } }, "Action": [ "ec2:TerminateInstances", "ec2:StopInstances", "ec2:StartInstances", "ec2:RebootInstances", "ec2:ModifyInstanceAttribute", "ec2:DescribeSecurityGroups", "ec2:DescribeSecurityGroupRules", "ec2:AuthorizeSecurityGroupIngress", "ec2:AuthorizeSecurityGroupEgress", "ec2:DeleteSecurityGroup", "ec2:GetEbsEncryptionByDefault", "ec2:GetEbsDefaultKmsKeyId" ], "Resource": [ "arn:aws:ec2:us-west-2:*:*" ], "Effect": "Allow" },- Get VPC related resource information
{ "Action": [ "ec2:DescribeVpcs", "ec2:DescribeSubnets", "ec2:DescribeAccountAttributes", "ec2:DescribeAddresses", "ec2:DescribeInternetGateways", "ec2:DescribeInstances", "ec2:DescribeAvailabilityZones", "ec2:DescribeInstanceTypes", "ec2:DescribeVolumes", "ec2:ModifyVolume", "ec2:DescribeImages", "ec2:RunInstances", "ec2:CreateSecurityGroup", "ec2:DescribeTags", "ec2:CreateTags", "ec2:DeleteTags", "compute-optimizer:GetEnrollmentStatus", ], "Resource": "*", "Effect": "Allow" }, -
ELB permissions:
- Manage Elastic Load Balancer (ELB) resources
elasticloadbalancing:* -
S3 permissions:
- Manage S3 buckets and perform read/write operations on buckets and their contents (for specific buckets)
{ "Condition": { "StringEquals": { "aws:ResourceTag/resource-created-by": [ "selectdb" ] } }, "Action": [ "s3:*" ], "Resource": [ "arn:aws:s3:::velodb-bucket-*/*", "arn:aws:s3:::velodb-bucket-*" ], "Effect": "Allow" } -
IAM & STS permissions:
- IAM & STS service related
{ "Action": [ "sts:GetCallerIdentity", "sts:AssumeRole", "iam:CreateInstanceProfile" ], "Resource": "*", "Effect": "Allow" }, { "Condition": { "StringEquals": { "iam:PassedToService": [ "ec2.amazonaws.com" ] } }, "Action": [ "iam:PassRole", "iam:AddRoleToInstanceProfile" ], "Resource": "arn:aws:iam::*:role/velodb-*", "Effect": "Allow" }, { "Condition": { "StringEquals": { "iam:AWSServiceName": [ "elasticloadbalancing.amazonaws.com" ] } }, "Action": [ "iam:CreateServiceLinkedRole" ], "Resource": "*", "Effect": "Allow" }