Configuration (AWS Cloud)
1. AWS IAM Permissions
- Access AWS Management Console, go to Identity and Access Management (IAM).
- Create a custom IAM policy as the JSON example shown below. NOTE that you need to change
YOUR_ACCOUNT_ID
to your AWS account ID (12 digit numeric value) in the JSON.
Standard (Recommended):
{ "Version": "2012-10-17", "Statement": [ { "Sid": "describePolicies", "Effect": "Allow", "Action": [ "cloudwatch:GetMetricData", "ec2:DescribeAddresses", "ec2:DescribeAvailabilityZones", "ec2:DescribeFlowLogs", "ec2:DescribeIamInstanceProfileAssociations", "ec2:DescribeImageAttribute", "ec2:DescribeImages", "ec2:DescribeInstanceAttribute", "ec2:DescribeInstances", "ec2:DescribeInternetGateways", "ec2:DescribeKeyPairs", "ec2:DescribeLaunchTemplates", "ec2:DescribeLaunchTemplateVersions", "ec2:DescribeNetworkInterfaces", "ec2:DescribeSecurityGroups", "ec2:DescribeSnapshots", "ec2:DescribeSubnets", "ec2:DescribeVolumes", "ec2:DescribeVpcPeeringConnections", "ec2:DescribeVpcs", "ec2:GetConsoleOutput" ], "Resource": "*" }, { "Sid": "ProfilePolices", "Effect": "Allow", "Action": "iam:ListInstanceProfiles", "Resource": "arn:aws:iam::YOUR_ACCOUNT_ID:instance-profile/*" }, { "Sid": "CreatePolicies", "Effect": "Allow", "Action": [ "ec2:RevokeSecurityGroupIngress", "ec2:AuthorizeSecurityGroupEgress", "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateKeyPair", "ec2:CreateSecurityGroup", "ec2:CreateTags", "ec2:RevokeSecurityGroupEgress", "ec2:CreateSubnet", "ec2:CreateVpc", "ec2:CreateNetworkInterface" ], "Resource": [ "arn:aws:ec2:*:YOUR_ACCOUNT_ID:key-pair/*", "arn:aws:ec2:*:YOUR_ACCOUNT_ID:security-group/*", "arn:aws:ec2:*:YOUR_ACCOUNT_ID:vpc/*", "arn:aws:ec2:*:YOUR_ACCOUNT_ID:subnet/*", "arn:aws:ec2:*:YOUR_ACCOUNT_ID:network-interface/*" ] } ] }
Minimum:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "describePolicies", "Effect": "Allow", "Action": [ "ec2:DescribeAddresses", "ec2:DescribeAvailabilityZones", "ec2:DescribeFlowLogs", "ec2:DescribeIamInstanceProfileAssociations", "ec2:DescribeImageAttribute", "ec2:DescribeImages", "ec2:DescribeInstanceAttribute", "ec2:DescribeInstances", "ec2:DescribeInternetGateways", "ec2:DescribeKeyPairs", "ec2:DescribeLaunchTemplates", "ec2:DescribeLaunchTemplateVersions", "ec2:DescribeNetworkInterfaces", "ec2:DescribeSecurityGroups", "ec2:DescribeSnapshots", "ec2:DescribeSubnets", "ec2:DescribeVolumes", "ec2:DescribeVpcPeeringConnections", "ec2:DescribeVpcs", ], "Resource": "*" }, { "Sid": "ProfilePolices", "Effect": "Allow", "Action": "iam:ListInstanceProfiles", "Resource": "arn:aws:iam::YOUR_ACCOUNT_ID:instance-profile/*" }, { "Sid": "CreatePolicies", "Effect": "Allow", "Action": [ "ec2:RevokeSecurityGroupIngress", "ec2:AuthorizeSecurityGroupEgress", "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateKeyPair", "ec2:CreateSecurityGroup", "ec2:CreateTags", "ec2:RevokeSecurityGroupEgress", "ec2:CreateSubnet", "ec2:CreateVpc", "ec2:CreateNetworkInterface" ], "Resource": [ "arn:aws:ec2:*:YOUR_ACCOUNT_ID:key-pair/*", "arn:aws:ec2:*:YOUR_ACCOUNT_ID:security-group/*", "arn:aws:ec2:*:YOUR_ACCOUNT_ID:vpc/*", "arn:aws:ec2:*:YOUR_ACCOUNT_ID:subnet/*", "arn:aws:ec2:*:YOUR_ACCOUNT_ID:network-interface/*" ] } ] }
- Create an IAM user or IAM role.
- Attach existing policies directly to the IAM user or Attach policies to the IAM role. (Select the above policy that you created.)
2. Drupal Permissions
- How to configure
Go to People > Permissions in your Drupal site. Configure permissions per your requirements.
- Concept
There are Add, Edit, Delete, View and List permissions on each AWS EC2 entities.
Edit, Delete and View permissions have two types, Any or Own.Permission Description Add AWS EC2 entity
Allow users to add AWS EC2 entity
Edit any AWS EC2 entity
Allow users to edit any AWS EC2 entity
Edit own AWS EC2 entity
Allow users to edit own AWS EC2 entity
Delete any AWS EC2 entity
Allow users to delete any AWS EC2 entity
Delete own AWS EC2 entity
Allow users to delete own AWS EC2 entity
View any AWS EC2 entity
Allow users to view any AWS EC2 entity
View own AWS EC2 entity
Allow users to view own AWS EC2 entity
List AWS EC2 entity
Allow users to list AWS EC2 entity
- Any permissions allow users to manage any AWS EC2 entities.
- Own permissions allow users to manage only their owning AWS EC2 entities.
- How to associate the entity's owner with AWS Management Console
The owner'suid
is applied as Tags with a keyuid
to resources on AWS Management Console.
AWS Cloud Key Pair cannot have Tags on AWS Management Console, therefore the owner information is saved and managed only on Drupal.
3. Basic Setup
- Create a new Cloud Config based on your needs. Go to Structure > Cloud config list and + Add Cloud config
- Enter all required configuration parameters. The system will automatically setup all regions from your AWS account. There are three options for specifying AWS credentials:
- Instance Credentials
If cloud module is running on an EC2 instance and the EC2 instance has an IAM Role attached, you have the option to check "Use Instance Credentials". Doing so is secure and does not require Access Key ID and Secret Access Key to be entered into Drupal.
Please refer to this AWS tutorial about IAM role and EC2 Instance:
- Simple Access
Specify
Access Key ID
andSecret Access Key
to access a particular account's EC2 instances. - Assume Role
Specify
Access Key ID
,Secret Access Key
and theAssume Role
section. With this combination, the cloud module can assume the role of another AWS account and access their EC2 instances.To learn more about setting up assume role setup, please read this AWS tutorial:
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_permissions-to-switch.html
- Instance Credentials
- Run cron to update your specific Cloud region.
- Use the links under Cloud Service Providers > [CLOUD CONFIG] to manage your AWS EC2 entities.
- Import Images using the tab: Cloud Service Providers > [CLOUD CONFIG] | Images
- Click on + Import AWS Cloud Image
- Search for images by AMI name. For example, to import "Anaconda" images based on Ubuntu, type in "anaconda*ubuntu*". Use the AWS Console on "aws.amazon.com" to search for images to import
- Import or Add a Keypair. The keypair is used to log into any system you launch. Use the links under the tab: Cloud Service Providers > [CLOUD CONFIG] | Key Pair
- Use the + Import AWS Cloud Key Pair button to import an existing key pair. You will be uploading your public key.
- Use + Add AWS Cloud Key Pair to have AWS generate a new private key. You will be prompted to download the key after it is created.
- Setup Security groups, VPCs, Subnets, and Network Interfaces.
4. Launching Instance
- Create a Server Template under Design > Cloud Server Template > [CLOUD CONFIG]
- Once template is created, click the Launch tab to launch it.
Help improve this page
You can:
- Log in, click Edit, and edit this page
- Log in, click Discuss, update the Page status value, and suggest an improvement
- Log in and create a Documentation issue with your suggestion