Skip to content

RC BYOC: Fix IAM credential steps and relref #1519

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
May 8, 2025
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -18,117 +18,117 @@ You **must not** change the configurations of provisioned resources or stop or t

## Step 1: Create the IAM instance policy

First, create a policy to use for the new instance role:
The IAM instance policy controls the permissions for the instances that Redis Cloud creates in your AWS account.

<!-- {{< video "/images/rc/create-instance-role-policy.mp4" "Create an instance role policy" >}} -->
Follow the steps to [create an IAM policy using the JSON editor](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create-console.html#access_policies_create-json-editor) with the following settings:

1. In the AWS IAM console, go to **Policies** > **Create policy**.
1. In the **JSON** tab, paste the contents of the RedisLabsInstanceRolePolicy.json policy file, shown here:
- In **Specify permissions**, select **JSON**, and then enter the contents of the RedisLabsInstanceRolePolicy.json policy file:

{{< expand "View RedisLabsInstanceRolePolicy.json" >}}
```js
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DescribeReadOnlyEc2Resources",
"Effect": "Allow",
"Action": [
"ec2:DescribeAvailabilityZones",
"ec2:DescribeRegions",
"ec2:DescribeSecurityGroups",
"ec2:DescribeTags",
"ec2:DescribeVolumes"
],
"Resource": [
"*"
]
},
{
"Sid": "EC2EBSActions",
"Effect": "Allow",
"Action": [
"ec2:AttachVolume",
"ec2:CreateVolume"
],
"Resource": [
"*"
],
"Condition": {
"StringEquals": {
"ec2:ResourceTag/RedisLabsIdentifier": "Redislabs-VPC"
}
}
},
{
"Sid": "SecurityGroupAccessActions",
"Effect": "Allow",
"Action": [
"ec2:AuthorizeSecurityGroupIngress",
"ec2:DeleteSecurityGroup",
],
"Resource": "*",
"Condition": {
"StringEquals": {
"ec2:ResourceTag/RedisLabsIdentifier": "Redislabs-VPC"
}
}
},
{
"Sid": "TagResourcesCreation",
"Effect": "Allow",
"Action": [
"ec2:CreateTags"
],
"Resource": [
"*"
]
},
{
"Sid": "TagResourcesDelete",
"Effect": "Allow",
"Action": [
"ec2:DeleteTags"
],
"Resource": [
"*"
],
"Condition": {
"StringEquals": {
"ec2:ResourceTag/RedisLabsIdentifier": "Redislabs-VPC"
}
}
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DescribeReadOnlyEc2Resources",
"Effect": "Allow",
"Action": [
"ec2:DescribeAvailabilityZones",
"ec2:DescribeRegions",
"ec2:DescribeSecurityGroups",
"ec2:DescribeTags",
"ec2:DescribeVolumes"
],
"Resource": [
"*"
]
},
{
"Sid": "EC2EBSActions",
"Effect": "Allow",
"Action": [
"ec2:AttachVolume",
"ec2:CreateVolume"
],
"Resource": [
"*"
],
"Condition": {
"StringEquals": {
"ec2:ResourceTag/RedisLabsIdentifier": "Redislabs-VPC"
}
}
},
{
"Sid": "SecurityGroupAccessActions",
"Effect": "Allow",
"Action": [
"ec2:AuthorizeSecurityGroupIngress",
"ec2:DeleteSecurityGroup"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"ec2:ResourceTag/RedisLabsIdentifier": "Redislabs-VPC"
}
}
},
{
"Sid": "TagResourcesCreation",
"Effect": "Allow",
"Action": [
"ec2:CreateTags"
],
"Resource": [
"*"
]
},
{
"Sid": "TagResourcesDelete",
"Effect": "Allow",
"Action": [
"ec2:DeleteTags"
],
"Resource": [
"*"
],
"Condition": {
"StringEquals": {
"ec2:ResourceTag/RedisLabsIdentifier": "Redislabs-VPC"
}
}
}
]
}
```
{{< /expand >}}

- In **Review and Create**, enter `RedisLabsInstanceRolePolicy` in the **Policy name** field.

1. Validate it and then select **Review Policy**.
1. Enter **RedisLabsInstanceRolePolicy** as the policy name and then select **Create Policy**.
Select **Create policy** to finish policy creation.

## Step 2: Create the service role

To create the role that uses the policy:
After creating the instance role policy, you must create a role to assign the policy.

Follow the steps to [create a role for an AWS service](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-service.html#roles-creatingrole-service-console) with the following settings:

<!-- {{< video "/images/rc/create-cluster-node-role.mp4" "Create a cluster node role" >}} -->
- In **Select trusted entity**:
- **Trusted entity**: Select **AWS service**.
- **Service or use case**: Select **EC2**.
- **Use case**: Select **EC2**.
- In **Add permissions**, select the **RedisLabsInstanceRolePolicy** you created.
- In **Name, review, and create**, enter `redislabs-cluster-node-role` in the **Role name** field.

1. In the AWS IAM console, go to **Roles** and click **Create Role**.
1. Select **AWS Service** as the trusted entity, **EC2** as the service
and use case, and click **Next: Permissions**.
1. Enter `RedisLabsInstanceRolePolicy` in the search box to look up the policy we just created.
Select it, and click **Next: Review**.
1. Name the role `redislabs-cluster-node-role` and click **Create Role**.
Select **Create role** to finish role creation.

## Step 3: Create the user policy

Now create a policy to assign to the user:
The user policy controls the permissions for the user that Redis Cloud uses to manage your AWS account.

<!-- {{< video "/images/rc/create-instance-user-policy.mp4" "Create an instance user policy" >}} -->
Follow the steps to [create an IAM policy using the JSON editor](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create-console.html#access_policies_create-json-editor) with the following settings:

1. In the AWS IAM console, go to **Policies** > **Create policy**.
1. In the **JSON** tab, paste the contents of the RedisLabsIAMUserRestrictedPolicy.json policy file.
- In **Specify permissions**, select **JSON**, and then enter the contents of the RedisLabsIAMUserRestrictedPolicy.json policy file:

{{< expand "View RedislabsIAMUserRestrictedPolicy.json" >}}
```json
Expand Down Expand Up @@ -360,35 +360,50 @@ Now create a policy to assign to the user:
```
{{< /expand >}}

1. Validate the policy and click **Review Policy**.
1. Enter `RedislabsIAMUserRestrictedPolicy` as the policy name and click **Create Policy**.
- In **Review and Create**, enter `RedislabsIAMUserRestrictedPolicy` in the **Policy name** field.

Select **Create policy** to finish policy creation.

## Step 4: Create the programmatic access user

Create a user and attach the policy you created:
After you create the user policy, you must create a programmatic access user and attach the policy to it.

Follow the steps to [create a user on the AWS console](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html), with the following settings:

- In **Specify user details**, For **User name**, enter `redislabs-user`.
- In **Set permissions**:
- **Permissions options**: Select **Attach existing policies directly**.
- **Permissions policies**: Select the **RedislabsIAMUserRestrictedPolicy** you created from the list.

Select **Create user** to create the user.

<!-- {{< video "/images/rc/create-programmatic-user.mp4" "Create programmatic user" >}} -->
After you create the user, you need to add an access key for the user.

1. In the AWS IAM console, go to **Users** > select **Add user**.
1. Name it `redislabs-user` and check only the **Programmatic access** checkbox.
1. Click **Next: Permissions**.
1. Select **Attach existing policies directly** and select
**RedislabsIAMUserRestrictedPolicy** from the list.
1. Click **Next: Review**.
1. Click **Create user**.
1. Download the user credentials and store them in a secure location.
Follow the steps to [create an access key](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-keys-admin-managed.html#admin-create-access-key) for the user you just created. Save the access key ID and secret access key in a secure location.

## Step 5: Create the console access role

Last, create a role and attach the policy you created:
The console access role controls the permissions for the user that Redis Cloud uses to access the AWS console.

Follow the steps to [Create a role for an IAM user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user.html) with the following settings:

- In **Select trusted entity**:
- **Trusted entity**: Select **AWS account**.
- **An AWS account**: Select **Another AWS account**.
- **Account ID**: Enter account number `168085023892` (Redis Cloud's AWS account).
- **Options**: Select **Require MFA**.
{{< warning >}}
Do not check the **Require external ID** checkbox.
{{< /warning >}}
- In **Add permissions**, select the **RedisLabsInstanceRolePolicy** you created.
- In **Name, review, and create**, enter `redislabs-role` in the **Role name** field.

Select **Create role** to finish role creation. Save the Role name for later.

## Next steps

<!-- {{< video "/images/rc/create-console-access-role.mp4" "Create console access user" >}} -->
When you've finished creating all of the resources, you can [create a Cloud Account]({{< relref "/operate/rc/subscriptions/bring-your-own-cloud/cloud-account-settings" >}}) in the Redis Cloud console. To do this, you'll need the following information:

1. In the AWS IAM console, go to **Roles** > select **Create role**.
1. Select **Another AWS account**.
1. Under **Account ID**, enter account number `168085023892` (Redis Cloud's AWS account).
1. Under Options, check the **Require MFA** checkbox only. *Do not check Require external ID*.
1. Click **Next: Permissions**.
1. Attach the policy **RedisLabsIAMUserRestrictedPolicy** to the role.
1. Click **Next: Review**.
1. Name the role `redislabs-role` and then click **Create role**.
- **Access Key ID**: The Access Key ID for the [programmatic user you created](#step-4-create-the-programmatic-access-user).
- **Secret Access Key**: The Secret Access Key for the [programmatic user you created](#step-4-create-the-programmatic-access-user).
- **IAM Role Name**: The name of the [console access role you created](#step-5-create-the-console-access-role).
Original file line number Diff line number Diff line change
Expand Up @@ -8,67 +8,57 @@ categories:
- rc
linkTitle: CloudFormation
---
The following link uses [AWS CloudFormation](https://aws.amazon.com/cloudformation/) to create a stack using the AWS console:
You can use [AWS CloudFormation](https://aws.amazon.com/cloudformation/) to create the IAM resources for Redis Cloud Bring your Own Cloud (BYOC).

{{< warning >}}
We use the provided credentials to configure your AWS environment and provision required resources.

You **must not** change the configurations of provisioned resources or stop or terminate provisioned instances. If you do, your databases will be inaccessible and Redis will not be able to ensure database stability. See [Avoid service disruption]({{< relref "/operate/rc/subscriptions/bring-your-own-cloud/cloud-account-settings#avoid-service-disruption" >}}) for more details.
{{< /warning >}}

## Create resources using CloudFormation on the AWS Console

The following link uses CloudFormation to create a stack using the AWS console:

<a href="https://console.aws.amazon.com/cloudformation/home?#/stacks/new?stackName=RedisCloud&templateURL=https://s3.amazonaws.com/iam-resource-automation-do-not-delete/RedisCloud.yaml">
<img alt="Launch RedisCloud template" src="https://s3.amazonaws.com/cloudformation-examples/cloudformation-launch-stack.png"/>
</a>

You can then use the `Outputs` tab to find the data needed to complete the creation of a Cloud Account. For the `accessSecretKey` (i.e. user's access key) and `consolePassword` (user's console password) you'll have to follow the links to the AWS Secrets Manager service, and use that to find the secret values. These values, being secrets, aren't displayed directly by CloudFormation.
When the stack finishes, select the stack and then the **Outputs** tab. You need the following information to [create a Cloud Account]({{< relref "/operate/rc/subscriptions/bring-your-own-cloud/cloud-account-settings" >}}) in the Redis Cloud console:

- **Access Key ID**: The `accessKeyId` output.
- **Secret Access Key**: Follow the link to AWS Secrets Manager in the `accessSecretKey` output and select **Retrieve secret value**.
- **IAM Role Name**: The `IAMRoleName` output.

You can use the AWS command-line interface (CLI) if you prefer:
## Create resources using CloudFormation through AWS CLI

You can also use the AWS command-line interface (CLI) to create the stack:

``` shell
export AWS_PROFILE=YOUR_PROFILE_HERE
aws cloudformation create-stack --stack-name RedisCloud --template-url \
https://s3.amazonaws.com/iam-resource-automation-do-not-delete/RedisCloud.yaml \
--capabilities CAPABILITY_AUTO_EXPAND CAPABILITY_NAMED_IAM CAPABILITY_IAM
```

Update the values of `AWS_PROFILE` with your profile credentials.

Additional options are described in the [AWS CLI docs](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html).

You can track the status of the cloud formation with the following command:

``` console
```shell
aws cloudformation describe-stacks --stack-name RedisCloud
```
The data needed to complete the creation of a Cloud Account is shown as `Output Key` and `Output Value` pairs.

For the two secrets (`accessSecretKey` and `consolePassword`) you'll need to use the AWS secretmanager CLI - the value you'll need has a key of `SecretString`:
After the stack finishes, you can retrieve the outputs from the `Outputs` section of the response.

``` console
aws secretsmanager get-secret-value --secret-id=/redislabsuser/secret_access_key
```

We recommend using yaml output for the `consolePassword`, as it makes decoding the required value easier.

``` console
aws secretsmanager get-secret-value --secret-id=/redislabsuser/password --output yaml
```

The `consolePassword` is a JSON object containing a single member whose key is `password` and whose value is the password. This can be a bit complex to parse out. Here's an example output:

```
user@example-computer ~ % aws secretsmanager get-secret-value
--secret-id=/redislabsuser/password
--output yaml
ARN: arn:aws:secretsmanager:middle-earth-1:913769183952:secret:/redislabsuser/password-qaEMYs
CreatedDate: '2021-06-16T06:27:53.402000-06:00'
Name: /redislabsuser/password
SecretString: '{"password":"S3cr3tP@$$w0rd"}'
VersionId: 00000000-0000-0000-0000-000000000000
VersionStages:
- AWSCURRENT
```
You need the following information to [create a Cloud Account]({{< relref "/operate/rc/subscriptions/bring-your-own-cloud/cloud-account-settings" >}}) in the Redis Cloud console:

The JSON object is the value (less the single quotes) of the `SecretString` key. i.e. it is <nobr>`{"password":"S3cr3tP@$$w0rd"}`</nobr>.
- **Access Key ID**: The `accessKeyId` output.
- **Secret Access Key**: Extract the secret ID from the `accessSecretKey` output. The secret ID is the `name` query parameter in the `accessSecretKey` output.

The password is the value associated with that key (less the double quotes): `S3cr3tP@$$w0rd`.
For example, if the `accessSecretKey` output is `https://console.aws.amazon.com/secretsmanager/home?region=<region>/secret?name=/redislabsuser/secret_access_key`, then the secret ID is `/redislabsuser/secret_access_key`.

{{< warning >}}
We use the provided credentials to configure your AWS environment and provision required resources.
Use the secret ID to retrieve the secret value using the AWS secretsmanager CLI:

You **must not** change the configurations of provisioned resources or stop or terminate provisioned instances. If you do, your databases will be inaccessible and Redis will not be able to ensure database stability. See [Avoid service disruption]({{< relref "/operate/rc/subscriptions/bring-your-own-cloud/cloud-account-settings#avoid-service-disruption" >}}) for more details.
{{< /warning >}}
``` shell
aws secretsmanager get-secret-value --secret-id=<accessSecretKey-ID>
```
Replace `<accessSecretKey-ID>` with the secret ID you extracted from the `accessSecretKey` output.
- **IAM Role Name**: The `IAMRoleName` output.
Loading