This module automates the manual Creating IAM Entities for AWS Cloud Accounts process by using the following Cloudformation stack template instead:
All you need to do to use this is click the above link and CloudFormation will do the rest. (Or, if you prefer, use the below aws cli command, substituting in your profile name:
aws cloudformation create-stack --stack-name RedisCloud --template-url \
https://s3.amazonaws.com/cloudformation-templates.redislabs.com/RedisCloud.yaml \
--capabilities CAPABILITY_AUTO_EXPAND CAPABILITY_NAMED_IAM CAPABILITY_IAM \
--profile YOUR_PROFILE_HERE
Once the resources are created you can use the Outputs section of CloudFormation to get the values you'll need to complete the rest of the overall RedisLabs Cloud Account creation process.
Creating IAM Entities for AWS Cloud Accounts describes a manual process for creating the necessary IAM resources so that you can subsequently configure an AWS Cloud Account into your Redis Cloud Account, allowing your Redis Cloud Account to create Subscription and Database resources in your AWS Cloud Account.
This repo contains a template (RedisCloud.yaml) to construct the necessary IAM resources.
If you configure an AWS Cloud Account 'By Hand' you'll be following these instructions
If you configure an AWS Cloud Account using the Cloud API you'll use this specific call
The template will construct the necessary IAM resources required for both approaches. It will show them in the 'output' section of the stack, except for the secrets (accessSecretKey and consolePassword), which are stored as secrets in the AWS Secret's manager. For these secrets the URL is output, from whence one can find the actual secret, assuming one has sufficient permissions.
The mapping between the stack outputs and the names used in the two different configuration methods is shown below:
| Output | By Hand | By API |
|---|---|---|
| IAMRoleName | IAM Role Name | - |
| accessKeyId | AWS_ACCESS_KEY_ID | accessKeyId |
| accessSecretKey | AWS_SECRET_ACCESS_KEY | accessSecretKey |
| consolePassword | - | consolePassword |
| consoleUsername | - | consoleUsername |
| signInLoginUrl | - | signInLoginUrl |
From time to time new policy files are produced. Simply running an update on the stack will pick up these new files and the stack will be updated accordingly.
Expected resources:
- AWS CLI
- Git
- JQ
We expect you to have an AWS profile for the Redislabs AWS account # (we use the name 'redislabs' for that profile in the following instructions; amend as necessary for your naming convention).
The cloudformation template is stored in the publicly accessible Redislabs owned bucket cloudformation-templates.redislabs.com
The template object itself has the key /RedisCloud.yaml. It references two snippets, one for each of two policies. These snippets are: /RedisLabsInstanceRolePolicySnippet.json and /RedislabsIAMUserRestrictedPolicySnippet.json
These snippets are constructed from the policies (available in raw source form on the Creating IAM Entities for AWS Cloud Accounts page).
To update the policies use the following procedure:
- Copy/paste the two files locally into the relevant json files
RedisLabsInstanceRolePolicy.jsonandRedislabsIAMUserRestrictedPolicy.json - Create the snippets using this shell script:
for file in RedisLabsInstanceRolePolicy.json RedislabsIAMUserRestrictedPolicy.json
do
snippet=$(basename $file .json)Snippet.json
cat $file | jq '{ PolicyDocument: . }' >$snippet &&
aws s3 --profile redislabs cp $snippet s3://cloudformation-templates.redislabs.com
done
If you need to update the template then copy it to S3 thus:
aws s3 --profile redislabs cp RedisCloud.yaml s3://cloudformation-templates.redislabs.com