Create Policies and Roles for Varada

The first step in Deploying Varada Using the Varada Control Center is to create the required policies and roles. You need one policy and role to install the Varada Control Center, and a second policy and role to spin up the Varada cluster. You can do this automatically, as described in Create Policies and Roles with AWS CloudFormation, or manually, as described in Create Policies and Roles for Varada.

Create Policies and Roles with AWS CloudFormation

You can use a template file with AWS CloudFormation to create the required policies and roles.

  1. Copy the following code, and save it as a YAML file. This is the template file required by AWS CloudFormation.
AWSTemplateFormatVersion: 2010-09-09
Description: varada control center roles setup
Resources:
  VaradaRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: varada-instance-role
      Path: "/"
      AssumeRolePolicyDocument: 
        Version: "2012-10-17"
        Statement: 
          - 
            Effect: "Allow"
            Principal: 
              Service: 
                - "ec2.amazonaws.com"
            Action: 
              - "sts:AssumeRole"
  VaradaPolicy:
    Type: AWS::IAM::ManagedPolicy
    Properties:
      ManagedPolicyName: varada-instance-policy
      Roles:
       - !Ref VaradaRole
      PolicyDocument:
        {
            "Version": "2012-10-17",
            "Statement": [
                {
                    "Sid": "GluePermissions",
                    "Effect": "Allow",
                    "Action": [
                        "glue:GetDatabases",
                        "glue:GetDatabase",
                        "glue:GetTables",
                        "glue:GetTable",
                        "glue:GetPartition",
                        "glue:GetTableVersion",
                        "glue:CreateTable",
                        "glue:GetPartitions",
                        "glue:DeleteTable",
                        "glue:UpdateTable",
                        "glue:BatchGetPartition",
                        "glue:UpdatePartition",
                        "glue:CreateDatabase",
                        "glue:BatchCreatePartition"
                    ],
                    "Resource": "*"
                },
                {
                    "Sid": "S3Permissions",
                    "Effect": "Allow",
                    "Action": [
                        "s3:DeleteObjectVersion",
                        "s3:ListBucket",
                        "s3:PutObject",
                        "s3:GetObject",
                        "s3:DeleteObject"
                    ],
                    "Resource": "*"
                },
                {
                    "Sid": "ECRPermissions",
                    "Effect": "Allow",
                    "Action": [
                        "ecr:DescribeImages",
                        "ecr:GetAuthorizationToken",
                        "ecr:BatchGetImage",
                        "ecr:GetDownloadUrlForLayer"
                    ],
                    "Resource": "*"
                },
                {
                    "Sid": "OtherPermissions",
                    "Effect": "Allow",
                    "Action": [
                        "autoscaling:DescribeAutoScalingGroups",
                        "autoscaling:DescribeScalingActivities"
                    ],
                    "Resource": "*"
                }
            ]
        }
  VaradaInstanceProfile:
    Type: AWS::IAM::InstanceProfile
    Properties:
      Path: /
      InstanceProfileName: varada-instance-role
      Roles:
        - !Ref VaradaRole
  VaradaControlCenterRole:
    Type: AWS::IAM::Role
    Properties:
      Path: "/"
      RoleName: vcc-instance-role
      AssumeRolePolicyDocument: 
        Version: "2012-10-17"
        Statement: 
          - 
            Effect: "Allow"
            Principal: 
              Service: 
                - "ec2.amazonaws.com"
            Action: 
              - "sts:AssumeRole"
  VaradaControlCenterPolicy:
    Type: AWS::IAM::ManagedPolicy
    Properties:
      ManagedPolicyName: vcc-instance-policy
      Roles:
       - !Ref VaradaControlCenterRole
      PolicyDocument:
        {
            "Version": "2012-10-17",
            "Statement": [
                {
                    "Sid": "GluePermissions",
                    "Effect": "Allow",
                    "Action": [
                        "glue:GetDatabases",
                        "glue:GetDatabase",
                        "glue:GetTables",
                        "glue:GetTable",
                        "glue:GetPartition",
                        "glue:GetTableVersion",
                        "glue:CreateTable",
                        "glue:GetPartitions",
                        "glue:DeleteTable",
                        "glue:UpdateTable",
                        "glue:BatchGetPartition",
                        "glue:CreateDatabase",
                        "glue:BatchCreatePartition",
                        "glue:DeletePartition",
                        "glue:UpdatePartition"
                    ],
                    "Resource": "*"
                },
                {
                    "Sid": "S3Permissions",
                    "Effect": "Allow",
                    "Action": [
                        "s3:DeleteObjectVersion",
                        "s3:ListBucket",
                        "s3:PutObject",
                        "s3:GetObject",
                        "s3:DeleteObject",
                        "s3:GetObjectTagging",
                        "s3:GetBucketLocation"
                    ],
                    "Resource": "*"
                },
                {
                    "Sid": "ECRPermissions",
                    "Effect": "Allow",
                    "Action": [
                        "ecr:DescribeImages",
                        "ecr:GetAuthorizationToken",
                        "ecr:BatchGetImage",
                        "ecr:GetDownloadUrlForLayer"
                    ],
                    "Resource": "*"
                },
                {
                    "Sid": "EC2Permissions",
                    "Effect": "Allow",
                    "Action": [
                        "ec2:DescribeSecurityGroups",
                        "ec2:DescribeKeyPairs",
                        "ec2:DescribeSubnets",
                        "ec2:RequestSpotInstances",
                        "ec2:DeletePlacementGroup",
                        "ec2:CreatePlacementGroup",
                        "ec2:CreateLaunchTemplateVersion",
                        "ec2:TerminateInstances",
                        "ec2:RunInstances",
                        "ec2:SearchTransitGatewayRoutes",
                        "ec2:CreateLaunchTemplate",
                        "ec2:DeleteLaunchTemplate",
                        "ec2:DescribePlacementGroups",
                        "ec2:DescribeLaunchTemplates",
                        "ec2:DescribeLaunchTemplateVersions",
                        "ec2:DescribePlacementGroups",
                        "ec2:DescribeLaunchTemplates",
                        "ec2:DescribeLaunchTemplateVersions",
                        "ec2:DescribeInstances"
                    ],
                    "Resource": "*"
                },
                {
                    "Sid": "AutoscalingPermissions",
                    "Effect": "Allow",
                    "Action": [
                        "autoscaling:AttachLoadBalancers",
                        "autoscaling:DetachLoadBalancers",
                        "autoscaling:CreateAutoScalingGroup",
                        "autoscaling:CreateOrUpdateTags",
                        "autoscaling:DeleteAutoScalingGroup",
                        "autoscaling:TerminateInstanceInAutoScalingGroup",
                        "autoscaling:PutLifecycleHook",
                        "autoscaling:UpdateAutoScalingGroup",
                        "autoscaling:DeleteLifecycleHook",
                        "autoscaling:DescribeAutoScalingGroups",
                        "autoscaling:DescribeScalingActivities"
                    ],
                    "Resource": "*"
                },
                {
                    "Sid": "ElasticLoadBalancingPermissions",
                    "Effect": "Allow",
                    "Action": [
                        "elasticloadbalancing:AddTags",
                        "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer",
                        "elasticloadbalancing:AttachLoadBalancerToSubnets",
                        "elasticloadbalancing:ConfigureHealthCheck",
                        "elasticloadbalancing:CreateLoadBalancer",
                        "elasticloadbalancing:CreateLoadBalancerListeners",
                        "elasticloadbalancing:DeleteLoadBalancer",
                        "elasticloadbalancing:DeleteLoadBalancerListeners",
                        "elasticloadbalancing:DetachLoadBalancerFromSubnets",
                        "elasticloadbalancing:ModifyLoadBalancerAttributes",
                        "elasticloadbalancing:RemoveTags",
                        "elasticloadbalancing:DescribeLoadBalancers",
                        "elasticloadbalancing:DescribeLoadBalancerAttributes",
                        "elasticloadbalancing:DescribeTags",
                        "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer"
                    ],
                    "Resource": "*"
                },
                {
                    "Sid": "OtherPermissions",
                    "Effect": "Allow",
                    "Action": [
                        "iam:PassRole"
                    ],
                    "Resource": "*"
                }
            ]
        }
  VaradaControlCenterInstanceProfile:
    Type: AWS::IAM::InstanceProfile
    Properties:
      Path: /
      InstanceProfileName: vcc-instance-role
      Roles:
        - !Ref VaradaControlCenterRole
  1. Open the AWS CloudFormation console at https://console.aws.amazon.com/cloudformation.

  2. Do one of the following:

  • If you have a currently running stack, click Create Stack > With new resources (standard).
  • If you have no running stacks, go to the Stacks page and click Create Stack > With new resources (standard).
    The Create stack wizard opens.
  1. Select Upload a template file, then browse to and select the YAML file you created in step 1.

  2. Click Next.
    The Specify stack details page appears.

  1. In the Stack name field, type a name for the stack, then click Next.
    The Configure stack options page appears.

  2. Click Next.
    The Review page appears.

  1. Select the checkbox to accept that AWS CloudFormation may create IAM resources with custom names, then click Create stack.
    CloudFormation displays the Events pane of the Stack details page for your new stack.
  1. Refresh the page and confirm that the policies and roles are created.
  1. Continue with Install the Varada Control Center.

Create Policies and Roles Manually

You first need to create policies for installing the Varada Control Center and spinning up the Varada cluster, and then create roles to be associated with the policies.

Create Policies for Varada

  1. Log in to the AWS Console and select IAM.
  1. Choose Policies, then click Create policy.

  2. Create a policy for installing the Varada Control Center as follows:

    a. Go to the JSON tab and copy and paste the snippet below. This snippet sets permissions for Glue, S3, ECR, and the Autoscaling Service.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "GluePermissions",
            "Effect": "Allow",
            "Action": [
                "glue:GetDatabases",
                "glue:GetDatabase",
                "glue:GetTables",
                "glue:GetTable",
                "glue:GetPartition",
                "glue:GetTableVersion",
                "glue:CreateTable",
                "glue:GetPartitions",
                "glue:DeleteTable",
                "glue:UpdateTable",
                "glue:BatchGetPartition",
                "glue:CreateDatabase",
                "glue:BatchCreatePartition",
                "glue:DeletePartition",
                "glue:UpdatePartition"
            ],
            "Resource": "*"
        },
        {
            "Sid": "S3Permissions",
            "Effect": "Allow",
            "Action": [
                "s3:DeleteObjectVersion",
                "s3:ListBucket",
                "s3:PutObject",
                "s3:GetObject",
                "s3:DeleteObject",
                "s3:GetObjectTagging",
                "s3:GetBucketLocation"
            ],
            "Resource": "*"
        },
        {
            "Sid": "ECRPermissions",
            "Effect": "Allow",
            "Action": [
                "ecr:DescribeImages",
                "ecr:GetAuthorizationToken",
                "ecr:BatchGetImage",
                "ecr:GetDownloadUrlForLayer"
            ],
            "Resource": "*"
        },
        {
            "Sid": "EC2Permissions",
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeKeyPairs",
                "ec2:DescribeSubnets",
                "ec2:RequestSpotInstances",
                "ec2:DeletePlacementGroup",
                "ec2:CreatePlacementGroup",
                "ec2:CreateLaunchTemplateVersion",
                "ec2:TerminateInstances",
                "ec2:RunInstances",
                "ec2:SearchTransitGatewayRoutes",
                "ec2:CreateLaunchTemplate",
                "ec2:DeleteLaunchTemplate",
                "ec2:DescribePlacementGroups",
                "ec2:DescribeLaunchTemplates",
                "ec2:DescribeLaunchTemplateVersions",
                "ec2:DescribePlacementGroups",
                "ec2:DescribeLaunchTemplates",
                "ec2:DescribeLaunchTemplateVersions",
                "ec2:DescribeInstances"
            ],
            "Resource": "*"
        },
        {
            "Sid": "AutoscalingPermissions",
            "Effect": "Allow",
            "Action": [
                "autoscaling:AttachLoadBalancers",
                "autoscaling:DetachLoadBalancers",
                "autoscaling:CreateAutoScalingGroup",
                "autoscaling:CreateOrUpdateTags",
                "autoscaling:DeleteAutoScalingGroup",
                "autoscaling:TerminateInstanceInAutoScalingGroup",
                "autoscaling:PutLifecycleHook",
                "autoscaling:UpdateAutoScalingGroup",
                "autoscaling:DeleteLifecycleHook",
                "autoscaling:DescribeAutoScalingGroups",
                "autoscaling:DescribeScalingActivities"
            ],
            "Resource": "*"
        },
        {
            "Sid": "ElasticLoadBalancingPermissions",
            "Effect": "Allow",
            "Action": [
                "elasticloadbalancing:AddTags",
                "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer",
                "elasticloadbalancing:AttachLoadBalancerToSubnets",
                "elasticloadbalancing:ConfigureHealthCheck",
                "elasticloadbalancing:CreateLoadBalancer",
                "elasticloadbalancing:CreateLoadBalancerListeners",
                "elasticloadbalancing:DeleteLoadBalancer",
                "elasticloadbalancing:DeleteLoadBalancerListeners",
                "elasticloadbalancing:DetachLoadBalancerFromSubnets",
                "elasticloadbalancing:ModifyLoadBalancerAttributes",
                "elasticloadbalancing:RemoveTags",
                "elasticloadbalancing:DescribeLoadBalancers",
                "elasticloadbalancing:DescribeLoadBalancerAttributes",
                "elasticloadbalancing:DescribeTags",
                "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer"
            ],
            "Resource": "*"
        },
        {
            "Sid": "OtherPermissions",
            "Effect": "Allow",
            "Action": [
                "iam:PassRole"
            ],
            "Resource": "*"
        }
    ]
}

b. Select Review Policy.

c. Give the policy a meaningful name, such as vcc-instance-policy.

  1. Now create a second policy for spinning up the Varada cluster.

    a. Click Create policy again.

    b. Go to the JSON tab and copy and paste the snippet below. This snippet sets permissions for Glue, S3, ECR and the Autoscaling Service.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "GluePermissions",
            "Effect": "Allow",
            "Action": [
                "glue:GetDatabases",
                "glue:GetDatabase",
                "glue:GetTables",
                "glue:GetTable",
                "glue:GetPartition",
                "glue:GetTableVersion",
                "glue:CreateTable",
                "glue:GetPartitions",
                "glue:DeleteTable",
                "glue:UpdateTable",
                "glue:BatchGetPartition",
                "glue:UpdatePartition",
                "glue:CreateDatabase",
                "glue:BatchCreatePartition"
            ],
            "Resource": "*"
        },
        {
            "Sid": "S3Permissions",
            "Effect": "Allow",
            "Action": [
                "s3:DeleteObjectVersion",
                "s3:ListBucket",
                "s3:PutObject",
                "s3:GetObject",
                "s3:DeleteObject"
            ],
            "Resource": "*"
        },
        {
            "Sid": "ECRPermissions",
            "Effect": "Allow",
            "Action": [
                "ecr:DescribeImages",
                "ecr:GetAuthorizationToken",
                "ecr:BatchGetImage",
                "ecr:GetDownloadUrlForLayer"
            ],
            "Resource": "*"
        },
        {
            "Sid": "OtherPermissions",
            "Effect": "Allow",
            "Action": [
                "autoscaling:DescribeAutoScalingGroups",
                "autoscaling:DescribeScalingActivities"
            ],
            "Resource": "*"
        }
    ]
}

c. Select Review Policy.

d. Give the policy a meaningful name, such as varada-instance-policy.

Create Roles for Varada

  1. Create a role for installing the Varada Control Center that will be attached to an EC2 instance.
  1. Associate the policy you created for installing the Varada Control Center with the role.
  1. Provide a meaningful name, such as vcc-instance-role, and create the role.

  2. Create a role for spinning up the Varada cluster that will be attached to an EC2 instance.

  3. Associate the policy you created for spinning up the Varada cluster with the role.

  1. Provide a meaningful name, such as varada-instance-role, and create the role.

  2. Continue with Install the Varada Control Center.