Role-based Configuration
On This Page
Overview
Roles are assumed by users in order to perform tasks. Roles do not have standard long-term credentials such as a password or access keys associated with them. Instead, when you assume a role, it provides you with temporary security credentials for your role session. Follow these steps to create an AWS instance profile with a restricted IAM role that allows the platform's Amazon Elastic Compute Cloud (EC2) instances to call the AWS API.
Step 1: Create an EC2
Create an EC2 with docker running on it.
Step 2: Check the Hop Count Limit
- Make sure the EC2 has a hop count limit of 2. Check it by running:
aws ec2 describe-instances --instance-ids <instance ID> --query "Reservations[*].Instances[*].MetadataOptions.HttpPutResponseHopLimit" --output text - If required, change it by running:
aws ec2 modify-instance-metadata-options --instance-id <instance ID> --http-put-response-hop-limit 2
Step 3: Create a Role
Create a role named IguazioDataScienceNode.
Step 4: Create and Attach the First Policy
- Create and attach this policy (call it ManageIguazioSystems) to the role created in step 3.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "ec2:*",
"Effect": "Allow",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "elasticloadbalancing:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "cloudwatch:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "autoscaling:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:AWSServiceName": [
"autoscaling.amazonaws.com",
"ec2scheduled.amazonaws.com",
"elasticloadbalancing.amazonaws.com",
"spot.amazonaws.com",
"spotfleet.amazonaws.com",
"transitgateway.amazonaws.com"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"cloudformation:*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "eks:*",
"Resource": "*"
},
{
"Action": [
"ssm:GetParameter",
"ssm:GetParameters"
],
"Resource": [
"arn:aws:ssm:*:$AWS_ACCOUNT_ID:parameter/aws/*",
"arn:aws:ssm:*::parameter/aws/*"
],
"Effect": "Allow"
},
{
"Action": [
"kms:CreateGrant",
"kms:DescribeKey"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Effect": "Allow",
"Action": [
"iam:CreateInstanceProfile",
"iam:DeleteInstanceProfile",
"iam:GetInstanceProfile",
"iam:RemoveRoleFromInstanceProfile",
"iam:GetRole",
"iam:CreateRole",
"iam:DeleteRole",
"iam:AttachRolePolicy",
"iam:PutRolePolicy",
"iam:ListInstanceProfiles",
"iam:AddRoleToInstanceProfile",
"iam:ListInstanceProfilesForRole",
"iam:PassRole",
"iam:DetachRolePolicy",
"iam:DeleteRolePolicy",
"iam:GetRolePolicy",
"iam:GetOpenIDConnectProvider",
"iam:CreateOpenIDConnectProvider",
"iam:DeleteOpenIDConnectProvider",
"iam:ListAttachedRolePolicies",
"iam:TagRole"
],
"Resource": [
"arn:aws:iam::$AWS_ACCOUNT_ID:instance-profile/eksctl-*",
"arn:aws:iam::$AWS_ACCOUNT_ID:role/eksctl-*",
"arn:aws:iam::$AWS_ACCOUNT_ID:oidc-provider/*",
"arn:aws:iam::$AWS_ACCOUNT_ID:role/aws-service-role/eks-nodegroup.amazonaws.com/AWSServiceRoleForAmazonEKSNodegroup",
"arn:aws:iam::$AWS_ACCOUNT_ID:role/eksctl-managed-*"
]
},
{
"Effect": "Allow",
"Action": [
"iam:GetRole"
],
"Resource": [
"arn:aws:iam::$AWS_ACCOUNT_ID:role/*"
]
},
{
"Effect": "Allow",
"Action": [
"iam:CreateServiceLinkedRole"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:AWSServiceName": [
"eks.amazonaws.com",
"eks-nodegroup.amazonaws.com",
"eks-fargate.amazonaws.com"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"iam:CreateServiceLinkedRole",
"iam:PassRole"
],
"Resource": [
"arn:aws:iam::*:role/aws-service-role/*",
"arn:aws:iam::*:role/IguazioDataScienceNode"
]
}
]
}
- Edit the policy and replace all $AWS_ACCOUNT_ID instances with your AWS Account ID.
Step 5: Create and Attach the Second Policy
Create and attach this policy (call it AssignPrivateIPAddresses) to the role created in step 3.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowAssignPrivateIPAddress",
"Effect": "Allow",
"Action": [
"ec2:AssignPrivateIpAddresses",
"ec2:UnassignPrivateIpAddresses",
"ec2:DescribeInstances"
],
"Resource": "*"
}
]
}
Step 6: Attach the First Policy to the EC2
Attach the role created in step 3 to the EC2 created in step 1.
