From 3c0d946825d3e74fffea4c49cea2c46e5f257a6b Mon Sep 17 00:00:00 2001
From: Silas Marvin <19626586+SilasMarvin@users.noreply.github.com>
Date: Wed, 16 Oct 2024 14:52:48 -0700
Subject: [PATCH 1/3] Updated VPC Page
---
pgml-cms/docs/cloud/enterprise/vpc.md | 79 +++++++++++++++++++++++++++
1 file changed, 79 insertions(+)
diff --git a/pgml-cms/docs/cloud/enterprise/vpc.md b/pgml-cms/docs/cloud/enterprise/vpc.md
index 1400a1dfd..821fa6c13 100644
--- a/pgml-cms/docs/cloud/enterprise/vpc.md
+++ b/pgml-cms/docs/cloud/enterprise/vpc.md
@@ -7,3 +7,82 @@ PostgresML can be launched in your Virtual Private Cloud (VPC) account on AWS, A
The PostgresML control plane provides a complete management solution to control the resources in your cloud account:
- Responsible for PostgresML instance launches, backups, monitoring and failover operations. This requires permission to create and destroy AWS EC2, EBS and AMI resources inside the designated VPC.
- Does not read/write any data inside PostgresML databases other than status metadata inside system tables or the pgml schema necessary to perform the previously mentioned operations.
+
+## Creating an AWS role for VPC
+
+To launch a VPC in AWS you must have a user with the correct permissions.
+
+1. Sign in to the AWS Management Console and open the IAM console.
+2. In the navigation pane, choose "Roles" and then "Create role".
+3. Select "AWS account" as the trusted entity type, and choose "This account".
+4. Click "Next" to proceed to permissions.
+5. Click "Create policy" and switch to the JSON tab.
+6. Paste the following policy document:
+ ```json
+ {
+ "Version": "2012-10-17",
+ "Statement": [
+ {
+ "Effect": "Allow",
+ "Action": [
+ "ec2:RunInstances",
+ "ec2:TerminateInstances",
+ "ec2:ModifyInstanceAttribute",
+ "ec2:DescribeSecurityGroups",
+ "ec2:CreateSecurityGroup",
+ "ec2:AuthorizeSecurityGroupIngress",
+ "ec2:AuthorizeSecurityGroupEgress",
+ "ec2:DescribeInstances",
+ "ec2:DescribeVolumes",
+ "ec2:CreateTags",
+ "ec2:DescribeVpcs",
+ "ec2:DescribeSubnets",
+ "ec2:CreateVolume",
+ "ec2:DeleteVolume",
+ "ec2:AttachVolume",
+ "ec2:DetachVolume",
+ "ec2:ModifyVolume",
+ "imagebuilder:CreateImage",
+ "imagebuilder:CreateImagePipeline",
+ "iam:SimulatePrincipalPolicy",
+ "iam:PassRole",
+ "iam:GetRole",
+ "iam:ListRoles",
+ "iam:CreateRole",
+ "iam:CreateInstanceProfile",
+ "iam:AddRoleToInstanceProfile",
+ "s3:CreateBucket",
+ "s3:DeleteBucket",
+ "s3:PutBucketPolicy",
+ "s3:ListBucket",
+ "s3:GetBucketPolicy",
+ "s3:GetObject",
+ "s3:PutObject",
+ "s3:DeleteObject",
+ "s3:ListBucketMultipartUploads",
+ "s3:ListMultipartUploadParts",
+ "s3:AbortMultipartUpload",
+ "s3:GetBucketLocation",
+ "s3:GetBucketTagging",
+ "s3:PutBucketTagging",
+ "kms:DescribeKey",
+ "kms:CreateGrant",
+ "kms:Decrypt",
+ "kms:ReEncryptFrom",
+ "kms:ReEncryptTo",
+ "kms:GenerateDataKey",
+ "kms:GenerateDataKeyPair",
+ "kms:GenerateDataKeyPairWithoutPlaintext",
+ "kms:GenerateDataKeyWithoutPlaintext"
+ ],
+ "Resource": "*"
+ }
+ ]
+ }
+ ```
+7. Review and create the policy, giving it a descriptive name like "VPCSetupPolicy".
+8. Back in the role creation process, attach this newly created policy to the role.
+9. Name the role (e.g., "VPCSetupRole") and create it.
+10. Go to the IAM Users section, select your user, and attach the created role.
+11. Generate new access keys for this user if you haven't already.
+
From c889c7a1c6cbb12ca22b33af45f4a7414889ea0e Mon Sep 17 00:00:00 2001
From: Silas Marvin <19626586+SilasMarvin@users.noreply.github.com>
Date: Wed, 16 Oct 2024 15:08:00 -0700
Subject: [PATCH 2/3] Wording
---
pgml-cms/docs/cloud/enterprise/vpc.md | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/pgml-cms/docs/cloud/enterprise/vpc.md b/pgml-cms/docs/cloud/enterprise/vpc.md
index 821fa6c13..f75d778b1 100644
--- a/pgml-cms/docs/cloud/enterprise/vpc.md
+++ b/pgml-cms/docs/cloud/enterprise/vpc.md
@@ -80,9 +80,9 @@ To launch a VPC in AWS you must have a user with the correct permissions.
]
}
```
-7. Review and create the policy, giving it a descriptive name like "VPCSetupPolicy".
+7. Review and create the policy, giving it a descriptive name like "PGMLVPCSetupPolicy".
8. Back in the role creation process, attach this newly created policy to the role.
-9. Name the role (e.g., "VPCSetupRole") and create it.
+9. Name the role (e.g., "PGMLVPCSetupRole") and create it.
10. Go to the IAM Users section, select your user, and attach the created role.
11. Generate new access keys for this user if you haven't already.
From 4c7ed78933a3c69f328a9e5dec2cf9b20d4fd07a Mon Sep 17 00:00:00 2001
From: Silas Marvin <19626586+SilasMarvin@users.noreply.github.com>
Date: Thu, 17 Oct 2024 15:53:25 -0700
Subject: [PATCH 3/3] Update required permissions
---
pgml-cms/docs/cloud/enterprise/vpc.md | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/pgml-cms/docs/cloud/enterprise/vpc.md b/pgml-cms/docs/cloud/enterprise/vpc.md
index f75d778b1..2a5b01184 100644
--- a/pgml-cms/docs/cloud/enterprise/vpc.md
+++ b/pgml-cms/docs/cloud/enterprise/vpc.md
@@ -27,6 +27,9 @@ To launch a VPC in AWS you must have a user with the correct permissions.
"Action": [
"ec2:RunInstances",
"ec2:TerminateInstances",
+ "ec2:StopInstances",
+ "ec2:StartInstances",
+ "ec2:RebootInstances",
"ec2:ModifyInstanceAttribute",
"ec2:DescribeSecurityGroups",
"ec2:CreateSecurityGroup",
@@ -35,6 +38,9 @@ To launch a VPC in AWS you must have a user with the correct permissions.
"ec2:DescribeInstances",
"ec2:DescribeVolumes",
"ec2:CreateTags",
+ "ec2:DescribeKeyPairs",
+ "ec2:DescribeRouteTables",
+ "ec2:DescribeRegions",
"ec2:DescribeVpcs",
"ec2:DescribeSubnets",
"ec2:CreateVolume",
@@ -50,6 +56,10 @@ To launch a VPC in AWS you must have a user with the correct permissions.
"iam:ListRoles",
"iam:CreateRole",
"iam:CreateInstanceProfile",
+ "iam:CreatePolicy",
+ "iam:GetInstanceProfile",
+ "iam:ListAttachedRolePolicies",
+ "iam:AttachRolePolicy",
"iam:AddRoleToInstanceProfile",
"s3:CreateBucket",
"s3:DeleteBucket",
pFad - Phonifier reborn
Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.
Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.
Alternative Proxies:
Alternative Proxy
pFad Proxy
pFad v3 Proxy
pFad v4 Proxy