AWS Preparation
This article mainly introduces the AWS operations involved in creating a BYOC type warehouse, including creating an IAM user and authorizing it, creating a VPC and subnet, and understanding resource orchestration and resource stacks.
Prepare an IAM user and authorize it
Before creating a BYOC warehouse, you need to prepare an AWS IAM user with relevant permissions.
During the BYOC deployment, the page will redirect to AWS. You need to use this user to log in to the AWS management console and create a resource stack in CloudFormation.
If you already have an AWS user with the Administrator role, you can skip creating a policy and an IAM user.
Otherwise, please send this document to your AWS administrator and ask the administrator to create an IAM user for you and authorize it according to this document.
The administrator accesses the AWS Identity and Access Management(IAM) (opens in a new tab) console and performs the following operations:
Create a policy
When creating a VeloDB Cloud BYOC type warehouse, you need to execute the resource stack template through the resource orchestration service (CloudFormation), which will create cloud resources such as EC2, VPC, S3, or perform related operations, so a series of IAM permissions are required.
Click Access Management > Policies on the left to enter the permission policy management page and click Create Policy
Switch to JSON mode, clear the original text box, copy the following script, and enter the text box. For detailed permission descriptions, see the Permission Description of Resource Stack Template Dependencies section below.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ec2:RunInstances",
"ec2:DescribeInstances",
"ec2:TerminateInstances",
"ec2:StopInstances",
"ec2:StartInstances",
"ec2:RebootInstances",
"ec2:ModifyInstanceAttribute",
"ec2:DescribeVolumes",
"ec2:ModifyVolume",
"ec2:DescribeTags",
"ec2:CreateTags",
"ec2:DeleteTags",
"ec2:DescribeSecurityGroups",
"ec2:CreateSecurityGroup",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:RevokeSecurityGroupIngress",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:RevokeSecurityGroupEgress",
"ec2:DeleteSecurityGroup",
"ec2:DescribeSecurityGroupRules",
"ec2:DescribeVpcs",
"ec2:DescribeSubnets"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"s3:Get*",
"s3:List*",
"s3:Put*",
"s3:Delete*",
"s3:CreateBucket"
],
"Resource": [
"arn:aws:s3:::*"
],
"Effect": "Allow"
},
{
"Action": [
"sts:GetCallerIdentity",
"sts:AssumeRole",
"iam:GetUser",
"iam:TagUser",
"iam:CreateUser",
"iam:DeleteUser",
"iam:ListAccessKeys",
"iam:CreateAccessKey",
"iam:DeleteAccessKey",
"iam:GetRole",
"iam:TagRole",
"iam:ListRoles",
"iam:CreateRole",
"iam:DeleteRole",
"iam:CreatePolicy",
"iam:GetUserPolicy",
"iam:PutUserPolicy",
"iam:GetRolePolicy",
"iam:PutRolePolicy",
"iam:DeleteUserPolicy",
"iam:DeleteRolePolicy",
"iam:GetInstanceProfile",
"iam:CreateInstanceProfile",
"iam:AddRoleToInstanceProfile",
"iam:RemoveRoleFromInstanceProfile",
"iam:DeleteInstanceProfile"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"iam:PassRole"
],
"Resource": "arn:aws:iam::*:role/velodb-role-*",
"Effect": "Allow"
},
{
"Action": [
"ec2:*VpcEndpoint*",
"elasticloadbalancing:*",
"cloudformation:*"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"lambda:GetFunction",
"lambda:CreateFunction",
"lambda:DeleteFunction",
"lambda:InvokeFunction",
"lambda:TagResource"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"iam:CreateServiceLinkedRole"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:AWSServiceName": "elasticloadbalancing.amazonaws.com"
}
},
"Effect": "Allow"
}
]
}
Click Next, enter a name, and click OK to complete the creation of the permission policy.
Create an IAM user and authorize it
Notice: If you already have an IAM user, you can skip the creation step and authorize it directly.
Click Access Management > User on the left, enter the User Management page, click Create User, enter relevant information, and click Next.
Select the policy created in the above steps, click Next, click Create User, and complete the creation.
Create an IAM user group and authorize (optional)
If there are multiple people in the enterprise using VeloDB Cloud, you can create an IAM user group, add relevant people to the user group, and authorize them uniformly.
Click Access Management > User Groups on the left to enter the User Group Management page, click Create group, enter User group name, select the User name and Policy name to be added, and click Create user group to complete the creation.
Prepare a VPC and subnet
Before creating a BYOC type warehouse, you need to use the above IAM user to create a VPC and subnet in advance. The following are the specific operations.
Notice: If you already have a VPC and subnet, you can skip the creation step
Open the Amazon Web Services VPC (opens in a new tab) console and switch to the region where you want to deploy the BYOC warehouse.
Create VPC
Click Create VPC to enter the VPC creation page.
Select VPC only, enter the name tag, input IPv4 CDR, click Create VPC to complete the creation.
Create subnet
Click Subnets > Create subnet on the left to enter the subnet creation page.
Select the VPC created in the above steps, enter the subnet name, IPv4 subnet CIDR block, click Create Subnet, and complete the creation.
Note: The regions and availability zones currently supported by the subnet are:
| Cloud Platform | Region | Availability Zone ID |
|---|---|---|
| AWS | us-east-1 | use1-az2 |
| AWS | us-west-2 | usw2-az1 |
| AWS | eu-west-1 | euw1-az1 |
Learn about Resource Orchestration and Resource Stack
When a user creates a BYOC type warehouse, the Agent will be automatically deployed with the help of the cloud vendor's resource orchestration service to complete the private connection between the Agent and the VeloDB Cloud platform, and then the Agent will be responsible for the deployment and management of the BYOC warehouse.
Resource Orchestration Template Description
The resource orchestration template provided by VeloDB runs under your cloud account, and the template code is visible and auditable, and will not operate on your data and other environments in the VPC. You can get the resource orchestration template provided by VeloDB through the following link:
https://selectdb-cloud-online.s3.us-west-1.amazonaws.com/public/aws-us-east-1-byoc-cf.yamlWhen you execute the above resource template through AWS CloudFormation, it will automatically create and deploy the Agent. Then the Agent will establish a private connection with VeloDB Cloud and complete the warehouse initialization process.
After the resource orchestration script is executed, you can enter the corresponding warehouse from the VeloDB Cloud platform and start creating a computing cluster for data analysis just like using a normal warehouse.
How to view resource stack information
You can switch to the region through the Amazon Cloud Technology CloudFormation (opens in a new tab) console to view all resource information created by the SelectDB resource stack template, and view specific resources by resource name.
Note All resources created by the resource stack template belong to your cloud account and are only used within your VPC and will not be leaked.
- EC2 *VeloDBAgent: Used to deploy Agent, Prometheus, FluentBit and other programs
- Endpoint
- VeloDBEndpoint: Establish a private network connection with the VeloDB Manage service to pull control instructions and push monitoring and logs in one direction.
- VeloDBEC2MsgVPCEndpoint: Establish a private network connection with the AWS EC2Msg service to use the AWS EC2Message service in a restricted network environment.
- VeloDBEC2VPCEndpoint: Establish a private network connection with the AWS EC2 service to use the AWS EC2 service in a restricted network environment.
- VeloDBSTSVPCEndpoint: Establish a private network connection with the AWS STS service to use the AWS STS service in a restricted network environment.
- VeloDBELBVPCEndpoint: Establish a private network connection with the AWS ELB service to use the AWS ELB service in a restricted network environment.
- S3 Bucket
- VeloDBBucket: Used to store data warehouse
- SecurityGroup
- VeloDBSecurityGroup: Bind to the terminal node and EC2 instance, and limit the traffic of specific ports and specific subnets through security group rules (allow nodes under the same security group and 8666, 8777 ports to enter the network, and allow all ports to leave the network)
- IAM User / IAM Role
- VeloDBUser (sub-user), VeloDBAkSk (sub-user aksk), VeloDBUserPolicy (sub-user permissions), VeloDBRole (role), VeloDBRolePolicy (role permissions)
- The created sub-user has the minimum permissions required by the Agent, and all subsequent business operations will use the identity of the sub-user (All sub-user information will only be used within the user's VPC and will not be leaked)
- Used to bind to the EC2 instance, and used for subsequent intranet calls to AWS STS services to switch to access metadata services to obtain temporary aksk, which is safer than the current method of using permanent aksk
- Lambda Function
- CustomFunction* (Lambda Function logic), SubnetQuery* (Lambda Function execution request), CustomResourceRole (temporary role for executing Lambda Function)
- Lambda function is used to implement some logic that is not available in CF templates but available in Python SDK. For this template, there are mainly the following aspects:
- For the selected VPC, check and automatically enable privateDns related functions to meet the prerequisite that AWS internal services and VeloDB Manage services can be used in a restricted network environment.
- For the created AWS internal service related Endpoint, check and automatically enable the PrivateDnsEnabled option to enable AWS internal services (STS, EC2, EC2 Messages, ELB) and VeloDB Manage services in a restricted network environment.
- Create an S3 endpoint. Because this logic needs to obtain the relevant routetable under the Subnet, this logic cannot be implemented due to the limitation of CF template syntax.
- Get the lowercase S3 bucket name. Because Amazon S3 does not allow uppercase letters to be used to name S3 buckets.
- Get the CidrBlock of the user-selected subnet, which is used to set the source IP range of the security group.
Permissions description of resource stack template dependencies
When executing a resource stack template through the resource orchestration service (CloudFormation) under your cloud account, cloud resources such as EC2, VPC, S3, etc. will be created or related operations will be performed, so a series of IAM permissions are required. Before formal execution, please ensure that the user executing this template has the corresponding permissions, otherwise the template execution may fail.
Note The execution process of the resource stack template is completely carried out under your cloud account, and the created resources also belong to your cloud account. VeloDB will not obtain your cloud account information, nor can it use the corresponding IAM permissions of the account.
The following are the permissions required based on the resources and operations defined in the template:
- Permission summary:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ec2:RunInstances",
"ec2:DescribeInstances",
"ec2:TerminateInstances",
"ec2:StopInstances",
"ec2:StartInstances",
"ec2:RebootInstances",
"ec2:ModifyInstanceAttribute",
"ec2:DescribeVolumes",
"ec2:ModifyVolume",
"ec2:DescribeTags",
"ec2:CreateTags",
"ec2:DeleteTags",
"ec2:DescribeSecurityGroups",
"ec2:CreateSecurityGroup",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:RevokeSecurityGroupIngress",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:RevokeSecurityGroupEgress",
"ec2:DeleteSecurityGroup",
"ec2:DescribeSecurityGroupRules",
"ec2:DescribeVpcs",
"ec2:DescribeSubnets"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"s3:Get*",
"s3:List*",
"s3:Put*",
"s3:Delete*",
"s3:CreateBucket"
],
"Resource": [
"arn:aws:s3:::*"
],
"Effect": "Allow"
},
{
"Action": [
"sts:GetCallerIdentity",
"sts:AssumeRole",
"iam:GetUser",
"iam:TagUser",
"iam:CreateUser",
"iam:DeleteUser",
"iam:ListAccessKeys",
"iam:CreateAccessKey",
"iam:DeleteAccessKey",
"iam:GetRole",
"iam:TagRole",
"iam:ListRoles",
"iam:CreateRole",
"iam:DeleteRole",
"iam:CreatePolicy",
"iam:GetUserPolicy",
"iam:PutUserPolicy",
"iam:GetRolePolicy",
"iam:PutRolePolicy",
"iam:DeleteUserPolicy",
"iam:DeleteRolePolicy",
"iam:GetInstanceProfile",
"iam:CreateInstanceProfile",
"iam:AddRoleToInstanceProfile",
"iam:RemoveRoleFromInstanceProfile",
"iam:DeleteInstanceProfile"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"iam:PassRole"
],
"Resource": "arn:aws:iam::*:role/velodb-role-*",
"Effect": "Allow"
},
{
"Action": [
"ec2:*VpcEndpoint*",
"elasticloadbalancing:*",
"cloudformation:*"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"lambda:GetFunction",
"lambda:CreateFunction",
"lambda:DeleteFunction",
"lambda:InvokeFunction",
"lambda:TagResource"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"iam:CreateServiceLinkedRole"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:AWSServiceName": "elasticloadbalancing.amazonaws.com"
}
},
"Effect": "Allow"
}
]
}-
EC2 and VPC permissions:
- Manage EC2 instances
"ec2:RunInstances", "ec2:DescribeInstances", "ec2:TerminateInstances", "ec2:StopInstances", "ec2:StartInstances", "ec2:RebootInstances", "ec2:ModifyInstanceAttribute", "ec2:DescribeVolumes", "ec2:ModifyVolume", "ec2:DescribeTags", "ec2:CreateTags", "ec2:DeleteTags", - Manage VPC
"ec2:DescribeSecurityGroups", "ec2:CreateSecurityGroup", "ec2:AuthorizeSecurityGroupIngress", "ec2:RevokeSecurityGroupIngress", "ec2:AuthorizeSecurityGroupEgress", "ec2:RevokeSecurityGroupEgress", "ec2:DeleteSecurityGroup", "ec2:DescribeSecurityGroupRules", "ec2:DescribeVpcs", "ec2:DescribeSubnets" - Manage EndPoint
ec2:*VpcEndpoint*
- Manage EC2 instances
-
ELB permissions:
- Manage ELB resources
elasticloadbalancing:*
- Manage ELB resources
-
S3 permissions:
- Manage S3 buckets and read and write buckets and their contents (for specific buckets)
"Action": [ "s3:Get*", "s3:List*", "s3:Put*", "s3:Delete*", "s3:CreateBucket" ], "Resource": [ "arn:aws:s3:::*" ], "Effect": "Allow" -
IAM & STS permissions:
- IAM
"iam:GetUser", "iam:TagUser", "iam:CreateUser", "iam:DeleteUser", "iam:ListAccessKeys", "iam:CreateAccessKey", "iam:DeleteAccessKey", "iam:GetRole", "iam:TagRole", "iam:ListRoles", "iam:CreateRole", "iam:DeleteRole", "iam:CreatePolicy", "iam:GetUserPolicy", "iam:PutUserPolicy", "iam:GetRolePolicy", "iam:PutRolePolicy", "iam:DeleteUserPolicy", "iam:DeleteRolePolicy", "iam:GetInstanceProfile", "iam:CreateInstanceProfile", "iam:AddRoleToInstanceProfile", "iam:RemoveRoleFromInstanceProfile", "iam:DeleteInstanceProfile"- STS
"sts:GetCallerIdentity", "sts:AssumeRole",- ELB service-associated role related
"Action": [ "iam:CreateServiceLinkedRole" ], "Resource": "*", "Condition": { "StringEquals": { "iam:AWSServiceName": "elasticloadbalancing.amazonaws.com" } }, "Effect": "Allow"
Permissions of sub-users created by resource stack templates
After the resource stack template is executed for the first time, a sub-user will be created for subsequent management of data warehouse related components in your VPC. The following is a description of the permissions of the sub-user.
Note The created sub-user belongs to your cloud account and is only used in your VPC and will not be leaked.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ec2:RunInstances",
"ec2:DescribeInstances",
"ec2:TerminateInstances",
"ec2:StopInstances",
"ec2:StartInstances",
"ec2:RebootInstances",
"ec2:ModifyInstanceAttribute",
"ec2:DescribeVolumes",
"ec2:ModifyVolume",
"ec2:DescribeTags",
"ec2:CreateTags",
"ec2:DeleteTags",
"ec2:CreateSecurityGroup",
"ec2:DescribeSecurityGroups",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:DeleteSecurityGroup",
"ec2:DescribeSecurityGroupRules",
"ec2:DescribeVpcs",
"ec2:DescribeSubnets",
"ec2:*VpcEndpoint*" ],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"s3:Get*",
"s3:List*",
"s3:Put*",
"s3:Delete*"
],
"Resource": [
"arn:aws:s3:::velodb-bucket-02da7cf543b88cf90/*",
"arn:aws:s3:::velodb-bucket-02da7cf543b88cf90",
"arn:aws:s3:::selectdb-import-data-us-east-1/*",
"arn:aws:s3:::selectdb-import-data-us-east-1"
],
"Effect": "Allow"
},
{
"Action": [
"sts:GetCallerIdentity",
"sts:AssumeRole",
"iam:CreateInstanceProfile",
"iam:AddRoleToInstanceProfile"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Condition": {
"StringEquals": {
"iam:PassedToService": [
"ec2.amazonaws.com"
]
}
},
"Action": [
"iam:PassRole"
],
"Resource": "arn:aws:iam::*:role/velodb-role-*",
"Effect": "Allow"
},
{
"Action": [
"elasticloadbalancing:*"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Condition": {
"StringEquals": {
"iam:AWSServiceName": [
"elasticloadbalancing.amazonaws.com"
]
}
},
"Action": [
"iam:CreateServiceLinkedRole"
],
"Resource": "*",
"Effect": "Allow"
}
]
}