You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: pgml-cms/docs/cloud/enterprise/vpc.md
+89Lines changed: 89 additions & 0 deletions
Original file line number
Diff line number
Diff line change
@@ -7,3 +7,92 @@ PostgresML can be launched in your Virtual Private Cloud (VPC) account on AWS, A
7
7
The PostgresML control plane provides a complete management solution to control the resources in your cloud account:
8
8
- Responsible for PostgresML instance launches, backups, monitoring and failover operations. This requires permission to create and destroy AWS EC2, EBS and AMI resources inside the designated VPC.
9
9
- Does not read/write any data inside PostgresML databases other than status metadata inside system tables or the pgml schema necessary to perform the previously mentioned operations.
10
+
11
+
## Creating an AWS role for VPC
12
+
13
+
To launch a VPC in AWS you must have a user with the correct permissions.
14
+
15
+
1. Sign in to the AWS Management Console and open the IAM console.
16
+
2. In the navigation pane, choose "Roles" and then "Create role".
17
+
3. Select "AWS account" as the trusted entity type, and choose "This account".
18
+
4. Click "Next" to proceed to permissions.
19
+
5. Click "Create policy" and switch to the JSON tab.
20
+
6. Paste the following policy document:
21
+
```json
22
+
{
23
+
"Version": "2012-10-17",
24
+
"Statement": [
25
+
{
26
+
"Effect": "Allow",
27
+
"Action": [
28
+
"ec2:RunInstances",
29
+
"ec2:TerminateInstances",
30
+
"ec2:StopInstances",
31
+
"ec2:StartInstances",
32
+
"ec2:RebootInstances",
33
+
"ec2:ModifyInstanceAttribute",
34
+
"ec2:DescribeSecurityGroups",
35
+
"ec2:CreateSecurityGroup",
36
+
"ec2:AuthorizeSecurityGroupIngress",
37
+
"ec2:AuthorizeSecurityGroupEgress",
38
+
"ec2:DescribeInstances",
39
+
"ec2:DescribeVolumes",
40
+
"ec2:CreateTags",
41
+
"ec2:DescribeKeyPairs",
42
+
"ec2:DescribeRouteTables",
43
+
"ec2:DescribeRegions",
44
+
"ec2:DescribeVpcs",
45
+
"ec2:DescribeSubnets",
46
+
"ec2:CreateVolume",
47
+
"ec2:DeleteVolume",
48
+
"ec2:AttachVolume",
49
+
"ec2:DetachVolume",
50
+
"ec2:ModifyVolume",
51
+
"imagebuilder:CreateImage",
52
+
"imagebuilder:CreateImagePipeline",
53
+
"iam:SimulatePrincipalPolicy",
54
+
"iam:PassRole",
55
+
"iam:GetRole",
56
+
"iam:ListRoles",
57
+
"iam:CreateRole",
58
+
"iam:CreateInstanceProfile",
59
+
"iam:CreatePolicy",
60
+
"iam:GetInstanceProfile",
61
+
"iam:ListAttachedRolePolicies",
62
+
"iam:AttachRolePolicy",
63
+
"iam:AddRoleToInstanceProfile",
64
+
"s3:CreateBucket",
65
+
"s3:DeleteBucket",
66
+
"s3:PutBucketPolicy",
67
+
"s3:ListBucket",
68
+
"s3:GetBucketPolicy",
69
+
"s3:GetObject",
70
+
"s3:PutObject",
71
+
"s3:DeleteObject",
72
+
"s3:ListBucketMultipartUploads",
73
+
"s3:ListMultipartUploadParts",
74
+
"s3:AbortMultipartUpload",
75
+
"s3:GetBucketLocation",
76
+
"s3:GetBucketTagging",
77
+
"s3:PutBucketTagging",
78
+
"kms:DescribeKey",
79
+
"kms:CreateGrant",
80
+
"kms:Decrypt",
81
+
"kms:ReEncryptFrom",
82
+
"kms:ReEncryptTo",
83
+
"kms:GenerateDataKey",
84
+
"kms:GenerateDataKeyPair",
85
+
"kms:GenerateDataKeyPairWithoutPlaintext",
86
+
"kms:GenerateDataKeyWithoutPlaintext"
87
+
],
88
+
"Resource": "*"
89
+
}
90
+
]
91
+
}
92
+
```
93
+
7. Review and create the policy, giving it a descriptive name like "PGMLVPCSetupPolicy".
94
+
8. Back in the role creation process, attach this newly created policy to the role.
95
+
9. Name the role (e.g., "PGMLVPCSetupRole") and create it.
96
+
10. Go to the IAM Users section, select your user, and attach the created role.
97
+
11. Generate new access keys for this user if you haven't already.
0 commit comments