Creating an IAM Policy¶
In AWS, an IAM policy defines the permissions of the user accounts associated with this policy.
The Automated Cloud Mode (AWS) of Solution Manager uses the AWS API to perform actions in your AWS account on your behalf, so you do not have to do them. For example, create EC2 instances that will run the Denodo components, create the necessary load balancers, etc.
To do this, before using the Automated Cloud Mode, you have to define an IAM policy that allows the service account associated with the Solution Manager to invoke all the necessary operations of the AWS API. We provide the policy file and you only have to define it in your AWS account.
Follow these steps to do create this IAM policy:
Log in to the AWS Management Console.
Go to IAM.
In the left panel, expand Access management and click on Policies.
Click on Create policy.
Download this file to your computer:
Denodo_Solution_Manager_9_IAM_PolicyPermissions.json
This JSON file defines the privileges of the new IAM policy. The Solution Manager requires all these privileges to be able to perform all the actions that users can do using the Solution Manager.
For evaluations and simple deployments, we recommend using this file. If you want to restrict the actions the Solution Manager can do in AWS on your behalf, read these sections. They list each privilege of this policy file and what feature of the Solution Manager it affects:
Click the tab JSON, clear the content of the text box and paste the content of the file you just downloaded. Then, click on Review policy. If the AWS console shows any warning message regarding the JSON, ignore it and continue with the policy creation.
Enter the name denodo_90_solution_manager (you can use another name if you prefer) and a description of the new policy. Then, click on Create policy.
Main Features¶
For evaluations and simple deployments, we recommend creating the IAM policy using the policy file we provide. If you want to restrict the actions the Solution Manager can do on your AWS account, take this into consideration:
You cannot remove from the policy the permissions that in the table below are marked with Required = Yes. If you remove any of them, you will not be able to use the Automated Cloud Mode of the Solution Manager because all the operations will fail.
You can remove the permissions with the column Required = No but take into account that the feature associated to that permission will not work. If you try to perform that action, you will get an error.
Service |
Action |
Required |
Usage |
|
---|---|---|---|---|
EC2 |
Tagging |
CreateTags |
Yes |
Required to name the resources created automatically |
DeleteTags |
No |
Required to delete the named resources created automatically |
||
Write |
AttachInternetGateway |
No |
Required when using public ELBs |
|
DeregisterImage |
Yes |
Required to automate the installation of updates, cloud deployments, recreate instances and automate the TLS configuration |
||
CreateRoute |
No |
Required when using public ELBs or VPCs managed by the Solution Manager |
||
CreateInternetGateway |
No |
Required when using public ELBs |
||
DeleteRoute |
No |
Required to automated the management of public ELBs and/or VPCs |
||
DeleteSnapshot |
Yes |
Required to automate the installation of updates, cloud deployments, recreate instances and automate the TLS configuration |
||
DeregisterImage |
Yes |
Required to automate the installation of updates, cloud deployments, recreate instances and automate the TLS configuration |
||
ModifyInstanceAttribute |
Yes |
Required to set the instance user data |
||
RebootInstances |
Yes |
Required to launch the instances |
||
RunInstances |
Yes |
Required to launch the instances |
||
StartInstances |
Yes |
Required to launch the instances |
||
StopInstances |
Yes |
Required to launch the instances |
||
TerminateInstances |
Yes |
Required to launch the instances |
||
List |
DescribeImages |
Yes |
Required to launch the instances |
|
DescribeInstances |
Yes |
Required to launch the instances |
||
DescribeInternetGateways |
No |
Required when using public ELBs |
||
DescribeKeyPairs |
Yes |
Required to list the available Key Pairs |
||
DescribeRegions |
Yes |
Required to list available Regions |
||
DescribeRouteTables |
No |
Required when using public ELBs or VPCs managed by the Solution Manager |
||
DescribeSecurityGroups |
Yes |
Required to list available Security Groups |
||
DescribeSubnets |
Yes |
Required to list available subnets |
||
DescribeVpcs |
Yes |
Required to list available VPCs |
||
Read |
DescribeTags |
No |
Required to name the resources created automatically |
|
ELB v2 |
Write |
CreateListener |
Yes |
Required to create the ELBs |
CreateLoadBalancer |
Yes |
Required to create the ELBs |
||
CreateTargetGroup |
Yes |
Required to create the ELBs |
||
DeleteListener |
Yes |
Required to create the ELBs |
||
DeleteLoadBalancer |
Yes |
Required to create the ELBs |
||
DeleteTargetGroup |
Yes |
Required to create the ELBs |
||
DeregisterTargets |
No |
Required to use the “minimizing downtime” option |
||
ModifyListener |
Yes |
Required to create the ELBs |
||
ModifyTargetGroupAttributes |
Yes |
Required to create the ELBs |
||
RegisterTargets |
Yes |
Required to create the ELBs |
||
Read |
DescribeListeners |
Yes |
Required to create the ELBs |
|
DescribeLoadBalancers |
Yes |
Required to create the ELBs |
||
DescribeTargetGroups |
Yes |
Required to create the ELBs |
||
DescribeTargetHealth |
No |
Required to use the “minimizing downtime” option |
||
IAM |
Write |
PassRole |
No |
Required to store the logs in S3 and automate the installation of updates |
Read |
GetUser |
Yes |
Required to obtain the account information |
|
List |
ListInstanceProfiles |
No |
Required to store the logs in S3 and automate the installation of updates |
|
S3 |
Write |
DeleteObject |
No |
Required to store the logs in S3 and automate the installation of updates |
PutObject |
No |
Required to store the logs in S3 and automate the installation of updates |
||
Read |
GetBucketLocation |
No |
Required to store the logs in S3 and automate the installation of updates |
|
sts |
Write |
DecodeAuthorizationMessage |
Yes |
Required to obtain the actual authentication error from AWS |
Automated VPC Management¶
When you create an environment using the Automated Mode, you can choose if you want the Solution Manager to create a Virtual Private Cloud (VPC) for the new EC2 instances or use an existing VPC.
If you do not want to allow the Solution Manager to create and manage the VPCs, you can remove the following permissions from the policy.
Service |
Action |
|
---|---|---|
EC2 |
Write |
AcceptVpcPeeringConnection |
CreateVpcPeeringConnection |
||
DeleteVpcPeeringConnection |
||
ModifyVpcAttribute |
||
ModifyVpcPeeringConnectionOptions |
||
CreateRoute |
||
DeleteRoute |
||
ReplaceRoute |
||
List |
DescribeVpcAttribute |
|
DescribeVpcPeeringConnections |
||
DescribeRouteTables |
Automated Subnet Management¶
When you create a cluster using the Automated Mode, you can choose if you want the Solution Manager to create a subnet for the new components or use an existing subnet.
If you do not want to allow the Solution Manager to create and manage the subnets, you can remove the following permissions from the policy.
Service |
Action |
|
---|---|---|
EC2 |
Write |
CreateSubnet |
ModifySubnetAttribute |
Automated Auto Scaling Group Management¶
When you create a cluster using the Automated Mode, you can choose if you want the Solution Manager to launch the EC2 instances in an auto scaling group.
If you do not want to allow the Solution Manager to create and manage the auto scaling groups, you can remove following permissions from the policy.
Service |
Action |
|
---|---|---|
EC2 |
Write |
CreateLaunchTemplate |
CreateLaunchTemplateVersion |
||
DeleteLaunchTemplate |
||
DeleteLaunchTemplateVersions |
||
ModifyLaunchTemplate |
||
List |
DescribeLaunchTemplateVersions |
|
EC2 Auto Scaling |
Write |
AttachInstances |
AttachLoadBalancerTargetGroups |
||
CreateAutoScalingGroup |
||
DeleteAutoScalingGroup |
||
DetachInstances |
||
DetachLoadBalancerTargetGroups |
||
UpdateAutoScalingGroup |
||
List |
DescribeAutoScalingGroups |
|
DescribeScalingActivities |
Automated Security Group Management¶
When you create a cluster using the Automated Mode, you can choose if you want the Solution Manager to create a security group with the required configuration or choose an existing security group.
If you do not want to allow the Solution Manager to create and manage the security groups, you can remove the following permissions from the policy.
Service |
Action |
|
---|---|---|
EC2 |
Write |
AuthorizeSecurityGroupIngress |
CreateSecurityGroup |
||
DeleteSecurityGroup |