EKS Daml on AWS

To enable Daml on Amazon Aurora Sextant for DAML needs to be able to create an Amazon Aurora database on demand if the user doesn't supply one. Likewise, to enable Daml on Amazon QLDB Sextant for DAML needs to be able to create an Amazon QLDB instance on demand.

To support these features the target EKS cluster requires some additional permissions added to the worker instance IAM Role. This document describes the steps necessary to fulfill that requirement.

NOTE These changes can be applied your EKS cluster before or after it is added to Sextant for DAML in the usual way.

NOTE These instructions focus on using the AWS Console. For information about achieving the same result via the AWS CLI please contact us via Get Support.

Modify EKS Cluster permissions using the AWS Console

Prerequisites

  • Access to the AWS management console for your account
  • AWS IAM permissions to create policies and attach them to IamInstanceProfiles
  • A running EKS cluster and the AWS instance-id of a worker node in this cluster

Procedure

  1. Go the EC2 management console for the region your worker nodes are in, for example us-west-2 AWS Management Console for us-west-2
  2. Go to the Instances list Instance List
  3. Find an instance of a worker node for your cluster in the list, and select it. In the description there will be a field IAM role whose value is the name of the IAM role we need to modify. This value is also a live link so right click it to open new tab.
  4. This will bring you to the page to edit the necessary IAM NodeInstanceRole.
  5. Under the Permissions tab on this page is a button marked Attach Policies. Click this button.
  6. You should now be looking at the Attach Permissions page, on this page there is a button Create policy, right click that button and open the link in a new tab, we will come back to the Attach Permissions page later in this procedure.
  7. You should now see the Create Policy screen. There are two tabs on this screen. One is marked JSON, select that tab.
  8. In the editor paste the following JSON text:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "VisualEditor0",
      "Effect": "Allow",
      "Action": [
        "ec2:*",
        "cloudformation:*",
        "rds:*",
        "qldb:*",
        "s3:*"
      ],
      "Resource": "*"
    }
  ]
}
  1. Click Review policy
  2. On the Review policy screen give the new policy a meaningful name such as sextant-for-daml-on-aws-services-policy then click Create policy
  3. Now let's return to the Attach Permissions page
  4. Click the refresh icon on the top right to refresh the policy list.
  5. In the search box type the name of the policy we just created
  6. You should now see your new policy in the list, select that policy and click the Attach policy on the bottom right
  7. Your worker instance role now has permissions to manage RDS instances and QLDB via CloudFormation

Walkthrough

Here we are using the AWS Console approach outlined in these instructions and adding the appropriate policy to node instance i-0fb43a138d54fd202 in an EKS cluster sfd-aurora-cluster in us-west-2.

Select instance node

First we open its IAM role in a new tab.

Open its IAM role

Next we select Attach Policies which takes us to the Attach Permissions screen (not shown here). From there we click Create Policy which takes us to a dialog where we define our policy to enable the management of RDS instances and QLDB via CloudFormation and give it the name sextant-for-daml-on-aws-services-policy.

Creating policy

NOTE this policy only needs to be created once in any given AWS account.

Returning to the Attach Permissions screen, we search for our policy, select it then click Attach Policy to attach it to the instance to enable it to manage RDS instances and QLDB via CloudFormation.

Attaching policy

If this is successful you should get a confirmation.

Confirmation policy attached