LogoLogo
  • Ulap User Documentation
  • Guides
    • Configure Your Ulap Account
    • Connect Ulap to Your Cloud
      • AWS
        • AWS Pre-Requisites
          • 1 - Create New AWS IAM User
          • 2 - AWS IAM Policies
          • 3 - Configure AWS Cost Explorer
        • Configure AWS Cloud Provider
        • Deploy AWS Cluster
      • Azure
      • GCP
      • IBM
    • Ulap Workspaces
      • Create a Workspace
    • Deploy cluster in workspace
      • Create new cluster
      • Connect your cluster
      • Monitor & manage cluster
      • Delete Cluster
    • Deploy CloudSense App
    • Deploy Custom App
  • Fundamentals
    • Ulap Overview
    • Ulap Personas
    • Ulap Roles
    • Ulap Workspace
    • Ulap Clusters
    • Ulap Apps
  • Use Cases
    • For Data Scientist
      • Conda Quickstart
      • Connecting to MLflow
    • For Engineers
      • GitHub Integration
    • For DevOps
      • Intercom Integration
  • Extras
    • Keyboard Shortcuts
Powered by GitBook
On this page
  1. Guides
  2. Connect Ulap to Your Cloud
  3. AWS
  4. AWS Pre-Requisites

2 - AWS IAM Policies

CloudSense needs policies on an AWS user. We can add these policies through the IAM dashboard. This part requires a user with enough permissions to create users and policies. Contact your AWS administrator.

First, navigate to the IAM Dashboard then go “Policies” > “Create Policy”.

Go into the “JSON” editor tab and enter the following:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "cloudwatch:DescribeAlarmsForMetric",
                "cloudwatch:GetMetricData",
                "ec2:CreateNetworkInterface",
                "ec2:CreateNetworkInterface",
                "ec2:CreateNetworkInterfacePermission",
                "ec2:DeleteNetworkInterface",
                "ec2:DeleteNetworkInterface",
                "ec2:DescribeAvailabilityZones",
                "ec2:DescribeAvailabilityZones",
                "ec2:DescribeNetworkInterfaceAttribute",
                "ec2:DescribeNetworkInterfaces",
                "ec2:DescribeNetworkInterfaces",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeSubnets",
                "ec2:DescribeSubnets",
                "ec2:DescribeVpcAttribute",
                "ec2:DescribeVpcs",
                "ec2:DescribeVpcs",
                "ec2:ModifyNetworkInterfaceAttribute",
                "ec2:ModifyNetworkInterfaceAttribute",
                "elasticfilesystem:Backup",
                "elasticfilesystem:CreateAccessPoint",
                "elasticfilesystem:CreateFileSystem",
                "elasticfilesystem:CreateMountTarget",
                "elasticfilesystem:CreateReplicationConfiguration",
                "elasticfilesystem:CreateTags",
                "elasticfilesystem:DeleteAccessPoint",
                "elasticfilesystem:DeleteFileSystem",
                "elasticfilesystem:DeleteFileSystemPolicy",
                "elasticfilesystem:DeleteMountTarget",
                "elasticfilesystem:DeleteReplicationConfiguration",
                "elasticfilesystem:DeleteTags",
                "elasticfilesystem:DescribeAccessPoints",
                "elasticfilesystem:DescribeAccountPreferences",
                "elasticfilesystem:DescribeBackupPolicy",
                "elasticfilesystem:DescribeFileSystemPolicy",
                "elasticfilesystem:DescribeFileSystems",
                "elasticfilesystem:DescribeLifecycleConfiguration",
                "elasticfilesystem:DescribeMountTargetSecurityGroups",
                "elasticfilesystem:DescribeMountTargets",
                "elasticfilesystem:DescribeReplicationConfigurations",
                "elasticfilesystem:DescribeTags",
                "elasticfilesystem:ListTagsForResource",
                "elasticfilesystem:ModifyMountTargetSecurityGroups",
                "elasticfilesystem:PutAccountPreferences",
                "elasticfilesystem:PutBackupPolicy",
                "elasticfilesystem:PutFileSystemPolicy",
                "elasticfilesystem:PutLifecycleConfiguration",
                "elasticfilesystem:Restore",
                "elasticfilesystem:TagResource",
                "elasticfilesystem:UntagResource",
                "elasticfilesystem:UpdateFileSystem",
                "elasticloadbalancing:DescribeLoadBalancers",
                "iam:AddRoleToInstanceProfile",
                "iam:AttachRolePolicy",
                "iam:CreateInstanceProfile",
                "iam:CreatePolicy",
                "iam:CreateRole",
                "iam:DeleteInstanceProfile",
                "iam:DeletePolicy",
                "iam:DeleteRole",
                "iam:DetachRolePolicy",
                "iam:GetInstanceProfile",
                "iam:GetPolicy",
                "iam:GetRole",
                "iam:ListAttachedRolePolicies",
                "iam:ListPolicyVersions",
                "iam:ListRoles",
                "iam:PassRole",
                "iam:RemoveRoleFromInstanceProfile",
                "kms:DescribeKey",
                "kms:ListAliases",
                "route53resolver:*",
                "ssm:GetParameter",
                "ssm:GetParameters",
                "ssm:GetParametersByPath"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "eks:*"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "cloudformation:*"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:*"
            ],
            "Resource": "*"
        },
        {
            "Action": "ec2:*",
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": "autoscaling:*",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": "iam:CreateServiceLinkedRole",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "iam:AWSServiceName": [
                        "autoscaling.amazonaws.com",
                        "ec2scheduled.amazonaws.com",
                        "elasticloadbalancing.amazonaws.com",
                        "spot.amazonaws.com",
                        "spotfleet.amazonaws.com",
                        "transitgateway.amazonaws.com",
                        "eks.amazonaws.com",
                        "eks-nodegroup.amazonaws.com"
                    ]
                }
            }
        }
    ]
}

Go to the tag screen and add any desired tags.

Go to the review screen and enter the name “CloudSense” and, optionally, a description.

Now that the policy is made, we need to attach the policy to a user. Go to Users and search for the appropriate user.

Now, “Add permissions” > “Attach existing policies directly” > Search “CloudSense” > Checkbox “CloudSense” > “Next: Review” > “Add permissions”

Congratulations! You now have all the permissions to deploy an AWS cluster through CloudSense.

Next steps: Use your AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY inside CloudSense to deploy an AWS cluster.

Previous1 - Create New AWS IAM UserNext3 - Configure AWS Cost Explorer

Last updated 2 years ago