Create a Managed Access

Last updated 7 months ago

Create a Managed Access

A Managed Access contains the necessary information to allow the service to access your AWS account to perform the necessary operations to deploy the Alluxio cluster. Because all resources are created within the user's AWS account, this sequence of steps must be completed before defining the Alluxio cluster. Learn more about the to understand the purpose of this step.

View the following tutorial video if it's your first time

Click the Managed Access link in the left navigation bar to view the current set of Managed Access entries. Click the Add button to create a new entry.

Step 1: Set AWS account ID

The first piece of information needed is your 12 digit AWS account ID. After logging into the AWS web console, you can find and copy this ID from the dropdown menu at the upper right.

Step 2: Create IAM policy

Click on the JSON button to switch the editor to an interactive text editor.

From the RAD UI, click on Copy JSON to copy the policy text to clipboard. On the AWS console, replace the placeholder text by pasting the clipboard contents. Click Next to continue.

On the final screen, provide a policy name and click Create Policy to complete this step.

Step 3: Create IAM role

Click on AWS account as the Trusted entity type. In the below section that subsequently appears, select Another AWS account and paste the account ID 767397899727

The AWS account ID to set as the "Another AWS account" is our management AWS account we are using to issue the deployment commands to your AWS account.

Click on the checkbox for Require external ID and copy the external ID from the RAD UI. Click Next to proceed to the next section.

Attach the previously created policy and click Next to proceed.

Provide a role name and click Create Role to complete this step.

Create and validate managed access

On the overview page of the IAM roles, search for and click on the newly created role.

Complete the creation of a Managed Access by providing

The ARN of the newly created IAM role
(already set) The external ID set for the IAM role
The AWS region to deploy the cluster in (defaults to us-east-1)
(For advanced users) Optionally, copy your SSH public key; used to grant SSH access to the cluster instances after deployment

After confirming the creation of the Managed Access, it will appear in the table of Managed Access entries.

The managed access creation only succeeds after we are able to validate the IAM role by successfully authenticating to AWS with it.

If the operation fails, double check that the AWS account id in the role definition is 767397899727and the External Id matches the one provided by the RAD UI. This information is found under the Trust relationships tab when viewing the details of the IAM role.

Note it can also take a few minutes for AWS to recognize the IAM role, especially if updating an existing role as opposed to creating a new one. If the information is correct but continues to fail to validate, wait a few minutes before trying again.

Last updated 7 months ago