Preparing your AWS account manually

Please note that manual creation is not recommended as it is error prone, and should only be used if it is your only option.

a) Create an S3 bucket

Imply Cloud uses S3 to store your data. Create or designate an S3 bucket in one of the supported regions and note the bucket name.

b) Create the instance IAM role

Imply Cloud requires two IAM roles to be created. The one described in this step will be used by the EC2 instances to configure and access necessary resources, including the S3 bucket Imply will use for deep storage. The IAM role described in step c will be used by the Imply Cloud Manager to create and manage your clusters via cross-account access.

To create the instance IAM role:

  • In the AWS Management Console, go to the IAM module, navigate to Roles, and click Create role.
  • Under ‘Select type of trusted entity’, select AWS service.
  • Under ‘Choose the service that will use this role’, select EC2. Click Next: Permissions.
  • Skip the ‘Attach permissions policies’ step by clicking Next: Review. We will setup an inline policy shortly.
  • Enter a valid role name, for example “imply-cloud-instance”. Click on Create role.

To add a policy document:

  • Select the newly created role.
  • Note the ‘Role ARN’ for the next step. It will be of the form arn:aws:iam::{awsAccountId}:role/{roleName}.
  • On the Permissions tab, click Add inline policy.
  • Select the JSON tab. Add the contents of the following file as the policy document, replacing {BUCKET_NAME} with the bucket created in step a: [https://s3.amazonaws.com/imply-cloud/public/documents/instance-role-policy.txt].
  • Click Review policy.
  • Enter any name for the policy, and click Create policy.

c) Create the Cloud Manager IAM role

To create the IAM role for the Cloud Manager, you will first need to identify the ARN of the instance IAM role created in step b as well as the ARN of the instance profile associated with that role. The role ARN will be of the form arn:aws:iam::{awsAccountId}:role/{roleName}. The profile ARN will be of the form arn:aws:iam::{awsAccountId}:instance-profile/{profileName}. We will need these to allow the Cloud Manager to pass the instance role to the EC2 instances it creates, as well as to limit the permission scope of the manager.

For the manager role, we will first create two IAM Policies – one for account creation (networking setup) and a second for cluster management. We will then attach these policies to a new role.

To create the account creation policy:

  • In the AWS Management Console, go to the IAM module, navigate to Policies, and click Create Policy.
  • Select the JSON tab. Add the contents of the following file as the policy document: [https://s3.amazonaws.com/imply-cloud/public/documents/cloud-manager-role-account-policy.txt].
  • Click Next: Tags.
  • Skip the ‘Add tags’ step by clicking Next: Review.
  • Enter a valid policy name, for example “imply-cloud-manager-account-policy”. Click on Create policy.

To create the cluster management policy:

  • In the AWS Management Console, go to the IAM module, navigate to Policies, and click Create Policy.
  • Select the JSON tab. Add the contents of the following file as the policy document: [https://s3.amazonaws.com/imply-cloud/public/documents/cloud-manager-role-cluster-policy.txt].
  • Replace {INSTANCE_PROFILE_ARN} in the ‘InstanceProfileConditionable’ statement with the instance profile ARN from step b.
  • Replace {INSTANCE_ROLE_ARN} in the iam:PassRole statement with the instance role ARN from step b.
  • Click Next: Tags.
  • Skip the ‘Add tags’ step by clicking Next: Review.
  • Enter a valid policy name, for example “imply-cloud-manager-cluster-policy”. Click on Create policy.

To create the Cloud Manager IAM role:

  • In the AWS Management Console, go to the IAM module, navigate to Roles, and click Create role.
  • Under ‘Select type of trusted entity’, select Another AWS account.
  • Under ‘Specify accounts that can use this role’, enter:
    • Account ID: 269875963461
    • Require external ID: yes (checked)
    • External ID: {EXTERNAL_ID}
    • Require MFA: no (unchecked)
  • Click Next: Permissions.
  • Select the account creation and cluster management polices created in the previous step. Click Next: Tags.
  • Skip the ‘Add tags’ step by clicking Next: Review.
  • Enter a valid role name, for example “imply-cloud-manager”. Click on Create role.

We recommend limiting the trust scope of this role from any in the Imply account to a specific user and role designated for Imply Cloud. To make this change:

  • Select the Cloud Manager IAM role.
  • On the Trust relationships tab, click Edit trust relationship.
  • Modify the policy document to change the AWS principal from arn:aws:iam::269875963461:root to the list [“arn:aws:iam::269875963461:user/imply-cloud-creation-agent”, “arn:aws:iam::269875963461:role/imply-cloud-creation-agent”]. The document should look similar to the following:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::269875963461:user/imply-cloud-creation-agent",
          "arn:aws:iam::269875963461:role/imply-cloud-creation-agent"
        ]
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "{EXTERNAL_ID}"
        }
      }
    }
  ]
}
          
  • Click Update Trust Policy.

d) Add the Cloud Manager IAM role as a trusted entity to instance role

Make note of the ARN of the Cloud Manager IAM role created in step c. The role ARN will be of the form arn:aws:iam::{awsAccountId}:role/{roleName}. We will need to modify the trust policy of the instance role to allow the role to be assumed by the Cloud Manager IAM role.

To modify the trust relationships of the instance role:

  • In the AWS Management Console, go to the IAM module, navigate to Roles, and click on the instance IAM role created in step b.
  • On the Trust relationships tab, click Edit trust relationship.
  • Under the ‘Principal’ object, add: “AWS”: “arn:aws:iam::{awsAccountId}:role/{cloudManagerRoleName}”, filling in {awsAccountId} and {cloudManagerRoleName} appropriately.

For example, if your AWS account ID is 1234-5678-9000 and the Cloud Manager IAM role you created in step c was named “imply-cloud-manager”, the policy document would look like this:

[Also available at: https://s3.amazonaws.com/imply-cloud/public/documents/instance-role-trust-policy.txt]

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "ec2.amazonaws.com",
        "AWS": "arn:aws:iam::123456789000:role/imply-cloud-manager"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
      
  • Click on Update Trust Policy to save your changes.