Imply Cloud - Signup Instructions

Welcome to Imply Cloud! This document will guide you through the steps necessary to prepare your AWS account to be linked to an Imply Cloud account.

1) Select an AWS account

Before proceeding, you should consider which AWS account would be best to link to Imply Cloud, or if it would make sense to create a new AWS account for this purpose. Imply Cloud provisions and manages resources in your AWS account, providing you with full control and ownership of your cloud resources while at the same time allowing you to enjoy Imply's expertise in deploying and managing your clusters.

In order to provide management permissions to Imply, you will be setting up specialized IAM roles configured for cross-account access. These roles will need to have permission to perform operations such as provisioning a new EC2 instance when a cluster is created, as well as terminating that instance when the cluster is stopped or removed.

Because some of these permissions have a necessarily broad scope, some Imply Cloud users prefer to set up a secondary third-party AWS account that is dedicated to resources that will be externally managed. This provides the benefit of resource isolation, while still allowing for specific network routes to be established (through VPC peering) for communication between instances in the different accounts. If you wish to use a separate AWS account for Imply Cloud, please first create or switch to this account before continuing with the instructions in this guide.

2) Select a region

Imply Cloud accounts are created in a specific AWS region, and all cluster resources will be provisioned in the designated region. AWS imposes limitations on connectivity between regions, so generally you should select the region where your other cloud resources are located if applicable. If not applicable or your primary region is not supported, we recommend choosing the region located geographically closest to your location.

The following regions are supported by Imply Cloud:

  • us-east-1 (N. Virginia)
  • us-west-2 (Oregon)
  • eu-central-1 (Frankfurt)
  • eu-west-1 (Ireland)

3) Create a S3 bucket

Imply Cloud uses S3 to store your data. Create or designate an S3 bucket in one of the supported regions and note the bucket name for use in step 4.

4) Create the instance IAM role

Imply Cloud requires two IAM roles to be created. The one described in this step will be used by the EC2 instances to configure and access necessary resources, including the S3 bucket Druid will use for deep storage. The IAM role described in step 5 will be used by the Imply Cloud Manager to create and manage your clusters via cross-account access.

To create the instance IAM role:

  • In the AWS Management Console, go to the IAM module, navigate to Roles, and click Create role.
  • Under 'Select type of trusted entity', select AWS service.
  • Under 'Choose the service that will use this role', select EC2. Click Next: Permissions.
  • Skip the 'Attach permissions policies' step by clicking Next: Review. We will setup an inline policy shortly.
  • Enter a valid role name, for example "imply-cloud-instance". Click on Create role.

To add a policy document:

  • Select the newly created role.
  • Note the 'Role ARN' for the next step. It will be of the form arn:aws:iam::{awsAccountId}:role/{roleName}.
  • On the Permissions tab, click Add inline policy.
  • Select the JSON tab. Add the contents of the following file as the policy document, replacing {BUCKET_NAME} with the bucket created in step 3: [https://s3.amazonaws.com/imply-cloud/public/documents/instance-role-policy.txt].
  • Click Review policy.
  • Enter any name for the policy, and click Create policy.

5) Create the Cloud Manager IAM role

To create the IAM role for the Cloud Manager, you will first need to identify the ARN of the instance IAM role created in step 4. The role ARN will be of the form arn:aws:iam::{awsAccountId}:role/{roleName}. We will need to give the Cloud Manager role permission to pass the instance role to the EC2 instances it creates.

To create the Cloud Manager IAM role:

  • In the AWS Management Console, go to the IAM module, navigate to Roles, and click Create role.
  • Under 'Select type of trusted entity', select Another AWS account.
  • Under 'Specify accounts that can use this role', enter:
    • Account ID: 269875963461
    • Require external ID: yes (checked)
    • External ID: {EXTERNAL_ID}
    • Require MFA: no (unchecked)
  • Click Next: Permissions.
  • Skip the 'Attach permissions policies' step by clicking Next: Review. We will setup an inline policy shortly.
  • Enter a valid role name, for example "imply-cloud-manager". Click on Create role.

To add a policy document:

  • Select the newly created role.
  • Note the 'Role ARN' for the next step. It will be of the form arn:aws:iam::{awsAccountId}:role/{roleName}.
  • On the Permissions tab, click Add inline policy.
  • Select the JSON tab. Add the contents of the following file as the policy document, replacing {INSTANCE_ROLE_ARN} with the ARN of the role created in step 4: [https://s3.amazonaws.com/imply-cloud/public/documents/cloud-manager-role-policy.txt].
  • Click Review policy.
  • Enter any name for the policy, and click Create policy.

We recommend limiting the trust scope of this role from any in the Imply account to a specific user and role designated for Imply Cloud. To make this change:

  • Select the Cloud Manager IAM role.
  • On the Trust relationships tab, click Edit trust relationship.
  • Modify the policy document to change the AWS principal from arn:aws:iam::269875963461:root to the list ["arn:aws:iam::269875963461:user/imply-cloud-creation-agent", "arn:aws:iam::269875963461:role/imply-cloud-creation-agent"]. The document should look similar to the following:
  • {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Principal": {
            "AWS": [
              "arn:aws:iam::269875963461:user/imply-cloud-creation-agent",
              "arn:aws:iam::269875963461:role/imply-cloud-creation-agent"
            ]
          },
          "Action": "sts:AssumeRole",
          "Condition": {
            "StringEquals": {
              "sts:ExternalId": "{EXTERNAL_ID}"
            }
          }
        }
      ]
    }
              
  • Click Update Trust Policy.

6) Add the Cloud Manager IAM role as a trusted entity to instance role

Make note of the ARN of the Cloud Manager IAM role created in step 5. The role ARN will be of the form arn:aws:iam::{awsAccountId}:role/{roleName}. We will need to modify the trust policy of the instance role to allow the role to be assumed by the Cloud Manager IAM role.

To modify the trust relationships of the instance role:

  • In the AWS Management Console, go to the IAM module, navigate to Roles, and click on the instance IAM role created in step 4.
  • On the Trust relationships tab, click Edit trust relationship.
  • Under the ‘Principal’ object, add: "AWS": "arn:aws:iam::{awsAccountId}:role/{cloudManagerRoleName}", filling in {awsAccountId} and {cloudManagerRoleName} appropriately.

For example, if your AWS account ID is 1234-5678-9000 and the Cloud Manager IAM role you created in step 5 was named "imply-cloud-manager", the policy document would look like this:

[Also available at: https://s3.amazonaws.com/imply-cloud/public/documents/instance-role-trust-policy.txt]

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "ec2.amazonaws.com",
        "AWS": "arn:aws:iam::123456789000:role/imply-cloud-manager"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
      

  • Click on Update Trust Policy to save your changes.

7) Provide configuration information to Imply

Please use the form below to submit the required information in order for your Imply Cloud account to be created:

Initial Admin

Email

AWS Region

S3 Bucket Name

Instance IAM role ARN

Cloud Manager IAM role ARN

After this information is provided, Imply will create your Imply Cloud account which will initiate the setup of a new VPC within your AWS account. By sending us this information, you authorize us to perform these actions in your account.

Once we have verified that your account has been properly configured, we’ll send you your Imply Cloud account details, and you can begin launching clusters!

How can we help?