Cloud setup for deploying universe nodes on AWS

For YugabyteDB Anywhere (YBA) to be able to deploy and manage YugabyteDB universes using an AWS cloud provider configuration, you need to provide YBA with privileges on your cloud infrastructure to create, delete, and modify VMs, mount and unmount disk volumes, and so on. The more permissions that you can provide, the more YBA can automate.

{{<tip>}} If you can't provide YBA with the necessary permissions, you can still deploy to AWS using an on-premises provider. {{</tip>}}

AWS

The following permissions are required for AWS.

{
   "Version": "2012-10-17",
   "Statement": [
       {
           "Sid": "VisualEditor0",
           "Effect": "Allow",
           "Action": [
               "ec2:AttachVolume",
               "ec2:AuthorizeSecurityGroupIngress",
               "ec2:ImportVolume",
               "ec2:ModifyVolumeAttribute",
               "ec2:DescribeInstances",
               "ec2:DescribeInstanceAttribute",
               "ec2:CreateKeyPair",
               "ec2:DescribeVolumesModifications",
               "ec2:DeleteVolume",
               "ec2:DescribeVolumeStatus",
               "ec2:StartInstances",
               "ec2:DescribeAvailabilityZones",
               "ec2:DescribeSnapshots",
               "ec2:DescribeVolumes",
               "ec2:ModifyInstanceAttribute",
               "ec2:DescribeKeyPairs",
               "ec2:DescribeInstanceStatus",
               "ec2:DetachVolume",
               "ec2:ModifyVolume",
               "ec2:TerminateInstances",
               "ec2:AssignIpv6Addresses",
               "ec2:ImportKeyPair",
               "ec2:DescribeTags",
               "ec2:CreateTags",
               "ec2:RunInstances",
               "ec2:AssignPrivateIpAddresses",
               "ec2:StopInstances",
               "ec2:AllocateAddress",
               "ec2:DescribeVolumeAttribute",
               "ec2:DescribeSecurityGroups",
               "ec2:CreateVolume",
               "ec2:EnableVolumeIO",
               "ec2:DescribeImages",
               "ec2:DescribeVpcs",
               "ec2:DeleteSecurityGroup",
               "ec2:DescribeSubnets",
               "ec2:DeleteKeyPair",
               "ec2:DescribeVpcPeeringConnections",
               "ec2:DescribeRouteTables",
               "ec2:DescribeInternetGateways",
               "ec2:GetConsoleOutput",
               "ec2:CreateSnapshot",
               "ec2:DeleteSnapshot",
               "ec2:DescribeInstanceTypes"
           ],
           "Resource": "*"
       }
   ]
}

To grant the required access, you do one of the following:

• Create a service account with the permissions. You'll later provide YBA with the service account Access key ID and Secret Access Key when creating the AWS provider configuration.
• Attach an IAM role with the required permissions to the EC2 VM instance where YugabyteDB Anywhere will be running.
• Attach an IAM role with the required permissions to the EC2 VM instances you will use for universe nodes.

Service account

If using a service account, record the following two pieces of information about your service account. You will need to provide this information later to YBA.

If you are intending to back up to S3 or S3-compatible storage, the service account should also have sufficient permissions to access S3; refer to Permissions to back up and restore.

IAM role

If attaching an IAM role to the EC2 VM instance where YugabyteDB Anywhere will be running, you must also execute the following command to change metadata options:

aws ec2 modify-instance-metadata-options --instance-id i-NNNNNNN --http-put-response-hop-limit 3 --http-endpoint enabled --region us-west-2

Replace NNNNNNN with the instance ID and us-west-2 with the region in which this EC2 VM is deployed.

For more information, see Configure the instance metadata service in the AWS documentation.

If you are intending to back up to S3 or S3-compatible storage, the IAM role used should also have sufficient permissions to access S3; refer to Permissions to back up and restore.

For information on using IAM roles for EC2, refer to IAM roles for Amazon EC2.

Provide access to AWS AMIs

In addition to AWS cloud permissions, to create VMs on AWS YBA needs access the operating system disk images, known as AMIs.

You must grant this access, and also accept any OS licensing terms manually before providing this access to YBA.

By default, YBA requires access to the Alma 8 disk x86 disk images.

Default case

If you plan to use YBA defaults, then, while logged into your AWS account, do the following:

• For the default x86 AMI, go to AlmaLinux OS 8 (x86_64) product and click Continue to Subscribe.
• For the default aarch64 AMI, go to AlmaLinux OS 8 (arm64) product and click Continue to Subscribe.

If you are not already subscribed and have not accepted the Terms and Conditions, then you should see the following message:

Click Accept Terms.

If needed, be sure to do this in every region where you intend to deploy database clusters.

Custom disk image

If you plan to use a custom operating system and disk image, then verify that the service account or IAM role that you provisioned earlier has access to the required OS disk image (that is, the specific AMI).

If needed, be sure to do this in every region where you intend to deploy database clusters.

Managing SSH keys for VMs

When creating VMs on the public cloud using a cloud provider configuration, YugabyteDB requires SSH keys to access the VM. You can manage the SSH keys for VMs in two ways:

• YBA managed keys. When YBA creates VMs, it will generate and manage the SSH key pair.
• Provide a custom key pair. Create your own custom SSH keys and upload the SSH keys when you create the provider.

If you will be using your own custom SSH keys, then ensure that you have them when installing YBA and creating your public cloud provider.