diff --git a/content/operate/rc/subscriptions/bring-your-own-cloud/iam-resources/aws-console.md b/content/operate/rc/subscriptions/bring-your-own-cloud/iam-resources/aws-console.md index 6b96040df8..e12fce278a 100644 --- a/content/operate/rc/subscriptions/bring-your-own-cloud/iam-resources/aws-console.md +++ b/content/operate/rc/subscriptions/bring-your-own-cloud/iam-resources/aws-console.md @@ -18,117 +18,117 @@ You **must not** change the configurations of provisioned resources or stop or t ## Step 1: Create the IAM instance policy -First, create a policy to use for the new instance role: +The IAM instance policy controls the permissions for the instances that Redis Cloud creates in your AWS account. - +Follow the steps to [create an IAM policy using the JSON editor](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create-console.html#access_policies_create-json-editor) with the following settings: -1. In the AWS IAM console, go to **Policies** > **Create policy**. -1. In the **JSON** tab, paste the contents of the RedisLabsInstanceRolePolicy.json policy file, shown here: +- In **Specify permissions**, select **JSON**, and then enter the contents of the RedisLabsInstanceRolePolicy.json policy file: {{< expand "View RedisLabsInstanceRolePolicy.json" >}} ```js - { - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "DescribeReadOnlyEc2Resources", - "Effect": "Allow", - "Action": [ - "ec2:DescribeAvailabilityZones", - "ec2:DescribeRegions", - "ec2:DescribeSecurityGroups", - "ec2:DescribeTags", - "ec2:DescribeVolumes" - ], - "Resource": [ - "*" - ] - }, - { - "Sid": "EC2EBSActions", - "Effect": "Allow", - "Action": [ - "ec2:AttachVolume", - "ec2:CreateVolume" - ], - "Resource": [ - "*" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/RedisLabsIdentifier": "Redislabs-VPC" - } - } - }, - { - "Sid": "SecurityGroupAccessActions", - "Effect": "Allow", - "Action": [ - "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteSecurityGroup", - ], - "Resource": "*", - "Condition": { - "StringEquals": { - "ec2:ResourceTag/RedisLabsIdentifier": "Redislabs-VPC" - } - } - }, - { - "Sid": "TagResourcesCreation", - "Effect": "Allow", - "Action": [ - "ec2:CreateTags" - ], - "Resource": [ - "*" - ] - }, - { - "Sid": "TagResourcesDelete", - "Effect": "Allow", - "Action": [ - "ec2:DeleteTags" - ], - "Resource": [ - "*" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/RedisLabsIdentifier": "Redislabs-VPC" - } - } +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "DescribeReadOnlyEc2Resources", + "Effect": "Allow", + "Action": [ + "ec2:DescribeAvailabilityZones", + "ec2:DescribeRegions", + "ec2:DescribeSecurityGroups", + "ec2:DescribeTags", + "ec2:DescribeVolumes" + ], + "Resource": [ + "*" + ] + }, + { + "Sid": "EC2EBSActions", + "Effect": "Allow", + "Action": [ + "ec2:AttachVolume", + "ec2:CreateVolume" + ], + "Resource": [ + "*" + ], + "Condition": { + "StringEquals": { + "ec2:ResourceTag/RedisLabsIdentifier": "Redislabs-VPC" + } + } + }, + { + "Sid": "SecurityGroupAccessActions", + "Effect": "Allow", + "Action": [ + "ec2:AuthorizeSecurityGroupIngress", + "ec2:DeleteSecurityGroup" + ], + "Resource": "*", + "Condition": { + "StringEquals": { + "ec2:ResourceTag/RedisLabsIdentifier": "Redislabs-VPC" } + } + }, + { + "Sid": "TagResourcesCreation", + "Effect": "Allow", + "Action": [ + "ec2:CreateTags" + ], + "Resource": [ + "*" ] + }, + { + "Sid": "TagResourcesDelete", + "Effect": "Allow", + "Action": [ + "ec2:DeleteTags" + ], + "Resource": [ + "*" + ], + "Condition": { + "StringEquals": { + "ec2:ResourceTag/RedisLabsIdentifier": "Redislabs-VPC" + } + } } + ] +} ``` {{< /expand >}} +- In **Review and Create**, enter `RedisLabsInstanceRolePolicy` in the **Policy name** field. -1. Validate it and then select **Review Policy**. -1. Enter **RedisLabsInstanceRolePolicy** as the policy name and then select **Create Policy**. +Select **Create policy** to finish policy creation. ## Step 2: Create the service role -To create the role that uses the policy: +After creating the instance role policy, you must create a role to assign the policy. + +Follow the steps to [create a role for an AWS service](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-service.html#roles-creatingrole-service-console) with the following settings: - +- In **Select trusted entity**: + - **Trusted entity**: Select **AWS service**. + - **Service or use case**: Select **EC2**. + - **Use case**: Select **EC2**. +- In **Add permissions**, select the **RedisLabsInstanceRolePolicy** you created. +- In **Name, review, and create**, enter `redislabs-cluster-node-role` in the **Role name** field. -1. In the AWS IAM console, go to **Roles** and click **Create Role**. -1. Select **AWS Service** as the trusted entity, **EC2** as the service - and use case, and click **Next: Permissions**. -1. Enter `RedisLabsInstanceRolePolicy` in the search box to look up the policy we just created. - Select it, and click **Next: Review**. -1. Name the role `redislabs-cluster-node-role` and click **Create Role**. +Select **Create role** to finish role creation. ## Step 3: Create the user policy -Now create a policy to assign to the user: +The user policy controls the permissions for the user that Redis Cloud uses to manage your AWS account. - +Follow the steps to [create an IAM policy using the JSON editor](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create-console.html#access_policies_create-json-editor) with the following settings: -1. In the AWS IAM console, go to **Policies** > **Create policy**. -1. In the **JSON** tab, paste the contents of the RedisLabsIAMUserRestrictedPolicy.json policy file. +- In **Specify permissions**, select **JSON**, and then enter the contents of the RedisLabsIAMUserRestrictedPolicy.json policy file: {{< expand "View RedislabsIAMUserRestrictedPolicy.json" >}} ```json @@ -360,35 +360,50 @@ Now create a policy to assign to the user: ``` {{< /expand >}} -1. Validate the policy and click **Review Policy**. -1. Enter `RedislabsIAMUserRestrictedPolicy` as the policy name and click **Create Policy**. +- In **Review and Create**, enter `RedislabsIAMUserRestrictedPolicy` in the **Policy name** field. + +Select **Create policy** to finish policy creation. ## Step 4: Create the programmatic access user -Create a user and attach the policy you created: +After you create the user policy, you must create a programmatic access user and attach the policy to it. + +Follow the steps to [create a user on the AWS console](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html), with the following settings: + +- In **Specify user details**, For **User name**, enter `redislabs-user`. +- In **Set permissions**: + - **Permissions options**: Select **Attach existing policies directly**. + - **Permissions policies**: Select the **RedislabsIAMUserRestrictedPolicy** you created from the list. + +Select **Create user** to create the user. - +After you create the user, you need to add an access key for the user. -1. In the AWS IAM console, go to **Users** > select **Add user**. -1. Name it `redislabs-user` and check only the **Programmatic access** checkbox. -1. Click **Next: Permissions**. -1. Select **Attach existing policies directly** and select - **RedislabsIAMUserRestrictedPolicy** from the list. -1. Click **Next: Review**. -1. Click **Create user**. -1. Download the user credentials and store them in a secure location. +Follow the steps to [create an access key](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-keys-admin-managed.html#admin-create-access-key) for the user you just created. Save the access key ID and secret access key in a secure location. ## Step 5: Create the console access role -Last, create a role and attach the policy you created: +The console access role controls the permissions for the user that Redis Cloud uses to access the AWS console. + +Follow the steps to [Create a role for an IAM user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user.html) with the following settings: + +- In **Select trusted entity**: + - **Trusted entity**: Select **AWS account**. + - **An AWS account**: Select **Another AWS account**. + - **Account ID**: Enter account number `168085023892` (Redis Cloud's AWS account). + - **Options**: Select **Require MFA**. + {{< warning >}} + Do not check the **Require external ID** checkbox. + {{< /warning >}} +- In **Add permissions**, select the **RedisLabsInstanceRolePolicy** you created. +- In **Name, review, and create**, enter `redislabs-role` in the **Role name** field. + +Select **Create role** to finish role creation. Save the Role name for later. + +## Next steps - +When you've finished creating all of the resources, you can [create a Cloud Account]({{< relref "/operate/rc/subscriptions/bring-your-own-cloud/cloud-account-settings" >}}) in the Redis Cloud console. To do this, you'll need the following information: -1. In the AWS IAM console, go to **Roles** > select **Create role**. -1. Select **Another AWS account**. -1. Under **Account ID**, enter account number `168085023892` (Redis Cloud's AWS account). -1. Under Options, check the **Require MFA** checkbox only. *Do not check Require external ID*. -1. Click **Next: Permissions**. -1. Attach the policy **RedisLabsIAMUserRestrictedPolicy** to the role. -1. Click **Next: Review**. -1. Name the role `redislabs-role` and then click **Create role**. +- **Access Key ID**: The Access Key ID for the [programmatic user you created](#step-4-create-the-programmatic-access-user). +- **Secret Access Key**: The Secret Access Key for the [programmatic user you created](#step-4-create-the-programmatic-access-user). +- **IAM Role Name**: The name of the [console access role you created](#step-5-create-the-console-access-role). diff --git a/content/operate/rc/subscriptions/bring-your-own-cloud/iam-resources/cloudformation.md b/content/operate/rc/subscriptions/bring-your-own-cloud/iam-resources/cloudformation.md index dc2505f55d..6017d137da 100644 --- a/content/operate/rc/subscriptions/bring-your-own-cloud/iam-resources/cloudformation.md +++ b/content/operate/rc/subscriptions/bring-your-own-cloud/iam-resources/cloudformation.md @@ -8,67 +8,57 @@ categories: - rc linkTitle: CloudFormation --- -The following link uses [AWS CloudFormation](https://aws.amazon.com/cloudformation/) to create a stack using the AWS console: +You can use [AWS CloudFormation](https://aws.amazon.com/cloudformation/) to create the IAM resources for Redis Cloud Bring your Own Cloud (BYOC). + +{{< warning >}} +We use the provided credentials to configure your AWS environment and provision required resources. + +You **must not** change the configurations of provisioned resources or stop or terminate provisioned instances. If you do, your databases will be inaccessible and Redis will not be able to ensure database stability. See [Avoid service disruption]({{< relref "/operate/rc/subscriptions/bring-your-own-cloud/cloud-account-settings#avoid-service-disruption" >}}) for more details. +{{< /warning >}} + +## Create resources using CloudFormation on the AWS Console + +The following link uses CloudFormation to create a stack using the AWS console: Launch RedisCloud template -You can then use the `Outputs` tab to find the data needed to complete the creation of a Cloud Account. For the `accessSecretKey` (i.e. user's access key) and `consolePassword` (user's console password) you'll have to follow the links to the AWS Secrets Manager service, and use that to find the secret values. These values, being secrets, aren't displayed directly by CloudFormation. +When the stack finishes, select the stack and then the **Outputs** tab. You need the following information to [create a Cloud Account]({{< relref "/operate/rc/subscriptions/bring-your-own-cloud/cloud-account-settings" >}}) in the Redis Cloud console: + +- **Access Key ID**: The `accessKeyId` output. +- **Secret Access Key**: Follow the link to AWS Secrets Manager in the `accessSecretKey` output and select **Retrieve secret value**. +- **IAM Role Name**: The `IAMRoleName` output. -You can use the AWS command-line interface (CLI) if you prefer: +## Create resources using CloudFormation through AWS CLI + +You can also use the AWS command-line interface (CLI) to create the stack: ``` shell -export AWS_PROFILE=YOUR_PROFILE_HERE aws cloudformation create-stack --stack-name RedisCloud --template-url \ https://s3.amazonaws.com/iam-resource-automation-do-not-delete/RedisCloud.yaml \ --capabilities CAPABILITY_AUTO_EXPAND CAPABILITY_NAMED_IAM CAPABILITY_IAM ``` -Update the values of `AWS_PROFILE` with your profile credentials. - -Additional options are described in the [AWS CLI docs](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html). - You can track the status of the cloud formation with the following command: -``` console +```shell aws cloudformation describe-stacks --stack-name RedisCloud ``` -The data needed to complete the creation of a Cloud Account is shown as `Output Key` and `Output Value` pairs. -For the two secrets (`accessSecretKey` and `consolePassword`) you'll need to use the AWS secretmanager CLI - the value you'll need has a key of `SecretString`: +After the stack finishes, you can retrieve the outputs from the `Outputs` section of the response. -``` console -aws secretsmanager get-secret-value --secret-id=/redislabsuser/secret_access_key -``` - -We recommend using yaml output for the `consolePassword`, as it makes decoding the required value easier. - -``` console -aws secretsmanager get-secret-value --secret-id=/redislabsuser/password --output yaml -``` - -The `consolePassword` is a JSON object containing a single member whose key is `password` and whose value is the password. This can be a bit complex to parse out. Here's an example output: - -``` -user@example-computer ~ % aws secretsmanager get-secret-value - --secret-id=/redislabsuser/password - --output yaml -ARN: arn:aws:secretsmanager:middle-earth-1:913769183952:secret:/redislabsuser/password-qaEMYs -CreatedDate: '2021-06-16T06:27:53.402000-06:00' -Name: /redislabsuser/password -SecretString: '{"password":"S3cr3tP@$$w0rd"}' -VersionId: 00000000-0000-0000-0000-000000000000 -VersionStages: -- AWSCURRENT -``` +You need the following information to [create a Cloud Account]({{< relref "/operate/rc/subscriptions/bring-your-own-cloud/cloud-account-settings" >}}) in the Redis Cloud console: -The JSON object is the value (less the single quotes) of the `SecretString` key. i.e. it is `{"password":"S3cr3tP@$$w0rd"}`. +- **Access Key ID**: The `accessKeyId` output. +- **Secret Access Key**: Extract the secret ID from the `accessSecretKey` output. The secret ID is the `name` query parameter in the `accessSecretKey` output. -The password is the value associated with that key (less the double quotes): `S3cr3tP@$$w0rd`. + For example, if the `accessSecretKey` output is `https://console.aws.amazon.com/secretsmanager/home?region=/secret?name=/redislabsuser/secret_access_key`, then the secret ID is `/redislabsuser/secret_access_key`. -{{< warning >}} -We use the provided credentials to configure your AWS environment and provision required resources. + Use the secret ID to retrieve the secret value using the AWS secretsmanager CLI: -You **must not** change the configurations of provisioned resources or stop or terminate provisioned instances. If you do, your databases will be inaccessible and Redis will not be able to ensure database stability. See [Avoid service disruption]({{< relref "/operate/rc/subscriptions/bring-your-own-cloud/cloud-account-settings#avoid-service-disruption" >}}) for more details. -{{< /warning >}} + ``` shell + aws secretsmanager get-secret-value --secret-id= + ``` + Replace `` with the secret ID you extracted from the `accessSecretKey` output. +- **IAM Role Name**: The `IAMRoleName` output. diff --git a/content/operate/rc/subscriptions/bring-your-own-cloud/iam-resources/terraform.md b/content/operate/rc/subscriptions/bring-your-own-cloud/iam-resources/terraform.md index da58019870..e0e8a70893 100644 --- a/content/operate/rc/subscriptions/bring-your-own-cloud/iam-resources/terraform.md +++ b/content/operate/rc/subscriptions/bring-your-own-cloud/iam-resources/terraform.md @@ -19,31 +19,40 @@ You **must not** change the configurations of provisioned resources or stop or t The following example uses the `terraform-aws-Redislabs-Cloud-Account-IAM-Resources` module, located in Amazon S3: -1. Create a `main.tf` as shown below (update the `profile`, `region`, and `pgp_key` values as appropriate). +1. Copy the following code into a file called `main.tf`. - Note that a `pgp_key` is required. For details, see the [Terraform docs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_login_profile#pgp_key). - - {{< expand "View terraformIAMTemplate.json" >}} + {{< expand "View main.tf" >}} {{% code-include file="rv/terraformIAMTemplate.json" language="js" %}} {{< /expand >}} + Replace the following values in the `main.tf` file: + + - ``: The AWS CLI profile to use. + - ``: The AWS region to use. + - ``: The PGP key to use. For details, see the [Terraform docs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_login_profile#pgp_key). + 2. Initialize Terraform with the module: - Note: Terraform requires [AWS credentials be supplied](https://www.terraform.io/docs/language/modules/sources.html#s3-bucket), but the source of the module is a public S3 bucket, so any valid credentials should work. Replace the `XXXX` fields below with your relevant values + Note: Terraform requires [AWS credentials be supplied](https://www.terraform.io/docs/language/modules/sources.html#s3-bucket), but the source of the module is a public S3 bucket, so any valid credentials should work. ``` - AWS_ACCESS_KEY_ID=XXXX AWS_SECRET_KEY=XXXX terraform init + AWS_ACCESS_KEY_ID= AWS_SECRET_KEY= terraform init ``` -3. Build the resources: + Replace `` and `` with valid AWS keys. + +3. Build the resources and display the outputs: ``` terraform apply ``` - This displays the required values. To access the sensitive data: + You need the following information to [create a Cloud Account]({{< relref "/operate/rc/subscriptions/bring-your-own-cloud/cloud-account-settings" >}}) in the Redis Cloud console: - * accessSecretKey: `echo $(terraform output -raw accessSecretKey)` - * consolePassword: + - **Access Key ID**: The `accessKeyId` output. + - **Secret Access Key**: Run the following command to extract the secret key from the `accessSecretKey` output: + ``` shell + echo $(terraform output -raw accessSecretKey) + ``` + - **IAM Role Name**: The `IAMRoleName` output. - `echo $(terraform output -raw consolePassword | base64 --decode | keybase pgp decrypt)` diff --git a/content/operate/rc/subscriptions/view-pro-subscription.md b/content/operate/rc/subscriptions/view-pro-subscription.md index d84e41635c..d7e5a690e2 100644 --- a/content/operate/rc/subscriptions/view-pro-subscription.md +++ b/content/operate/rc/subscriptions/view-pro-subscription.md @@ -119,7 +119,7 @@ Here, you can: - Set up a [VPC peering]({{< relref "/operate/rc/security/vpc-peering.md" >}}) relationship between the virtual PC (VPC) hosting your subscription and another virtual PC. -- Set up a [CIDR allow list]({{< relref "/operate/rc/cloud-integrations/aws-cloud-accounts/subscription-whitelist.md" >}}) containing IP addresses or security groups permitted to access your subscription (_AWS Cloud accounts only_). +- Set up a [CIDR allow list]({{< relref "/operate/rc/subscriptions/bring-your-own-cloud/subscription-whitelist" >}}) containing IP addresses or security groups permitted to access your subscription (_AWS Cloud accounts only_). - Set up [Private Service Connect]({{< relref "/operate/rc/security/private-service-connect" >}}) (*Google Cloud only*) or [Transit Gateway]({{< relref "/operate/rc/security/aws-transit-gateway" >}}) (*AWS only*). diff --git a/static/code/rv/terraformIAMTemplate.json b/static/code/rv/terraformIAMTemplate.json index f20333205c..81f41608a1 100644 --- a/static/code/rv/terraformIAMTemplate.json +++ b/static/code/rv/terraformIAMTemplate.json @@ -1,11 +1,11 @@ provider "aws" { - profile = "tobyhf-admin" - region = "us-east-1" + profile = "" + region = "" } module "Redislabs-Cloud-Account-Resources" { source = "https://iam-resource-automation-do-not-delete.s3.amazonaws.com/terraform-aws-Redislabs-Cloud-Account-IAM-Resources.zip" - pgp_key = "keybase:toby_h_ferguson" + pgp_key = "" } output "accessKeyId" {