Runtime Environments > Elastic runtime environments > Setting up host environment
  

Setting up host environment

You need to create IAM roles and policies in the host AWS environment before you can set up an elastic runtime environment.
To set up the host environment, complete the following tasks:
Step 1. Create a cluster installer policy
Create an IAM policy for the cluster installer role. This policy contains the permissions that allow the cluster to interact with an elastic runtime environment.
Step 2. Create a cluster installer role
Create an IAM role for the cluster installer.
Step 3. Attach the cluster installer role to the master node
After creating the cluster installer role, attach it to the master node to make it available to the EC2 instance.
Step 4. Create a worker node policy
Create an IAM policy for the worker node. The worker node policy contains the permissions that allow worker nodes to operate within an elastic runtime environment.
Step 5. Create a worker node role
Create an IAM role for the worker node.
Step 6. Deploy VM
Deploy a VM in your AWS environment.

Step 1. Create a cluster installer policy

Create an IAM policy for the cluster installer role and give it a name such as cluster_installer_policy. The cluster installer policy contains the permissions that allow the cluster to interact with an elastic runtime environment.
Create the policy using the following JSON document. Be sure to replace the "{{text}}" placeholders with the actual information. For example, replace {{account-id}} with your actual AWS account ID; for example: 123456789012.
You can download the JSON file from the Elastic runtime environment IAM policy JSON files Knowledge article.
For more information about IAM policies, refer to the AWS documentation.
Tip: Following security best practices, use the least privileges principle wherever possible. For example, the JSON template shows "Resource": "*" for the IAM policy. However use "*" only where absolutely required. Consider restricting by region or resource.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"autoscaling:AttachLoadBalancers",
"autoscaling:UpdateAutoScalingGroup",
"autoscaling:DeleteAutoScalingGroup",
"autoscaling:TerminateInstanceInAutoScalingGroup",
"autoscaling:CreateAutoScalingGroup"
],
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "ec2:Describe*",
"Resource": "*"
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:*:{{account-id}}:security-group/*",
"arn:aws:ec2:*:{{account-id}}:network-interface/*",
"arn:aws:ec2:*:{{account-id}}:launch-template/*",
"arn:aws:ec2:*::snapshot/*",
"arn:aws:ec2:*:{{account-id}}:instance/*",
"arn:aws:ec2:*:{{account-id}}:key-pair/iics-qa-*",
"arn:aws:ec2:*:{{account-id}}:volume/*",
"arn:aws:ec2:*:{{account-id}}:subnet/*",
"arn:aws:ec2:*::image/*"
]
},
{
"Sid": "VisualEditor3",
"Effect": "Allow",
"Action": [
"ec2:CreateKeyPair",
"ec2:CreateTags",
"ec2:CreateRouteTable",
"ec2:CreateImage",
"ec2:RunInstances",
"ec2:CreateVolume",
"ec2:CreateNetworkInterface",
"ec2:CreateLaunchTemplate",
"ec2:CreateSecurityGroup",
"ec2:CreateInternetGateway",
"ec2:CreateSnapshot",
"ec2:AssociateSubnetCidrBlock",
"ec2:CreateSubnet"
],
"Resource": [
"arn:aws:ec2:*:{{account-id}}:security-group/*",
"arn:aws:ec2:*:{{account-id}}:network-interface/*",
"arn:aws:ec2:*:{{account-id}}:internet-gateway/*",
"arn:aws:ec2:*:{{account-id}}:launch-template/*",
"arn:aws:ec2:*:{{account-id}}:instance/*",
"arn:aws:ec2:*:{{account-id}}:security-group-rule/*",
"arn:aws:ec2:*::snapshot/*",
"arn:aws:ec2:*:{{account-id}}:key-pair/iics-qa-*",
"arn:aws:ec2:us-west-2:{{account-id}}:route-table/*",
"arn:aws:ec2:*:{{account-id}}:subnet/*",
"arn:aws:ec2:*:{{account-id}}:volume/*",
"arn:aws:ec2:*:{{account-id}}:import-snapshot-task/*",
"arn:aws:ec2:*::image/*"
]
},
{
"Sid": "VisualEditor4",
"Effect": "Allow",
"Action": [
"ec2:AuthorizeSecurityGroupIngress",
"ec2:ReplaceRouteTableAssociation",
"ec2:DeleteTags",
"ec2:AttachInternetGateway",
"ec2:DeleteRouteTable",
"ec2:AssociateRouteTable",
"ec2:DeleteVolume",
"ec2:StartInstances",
"ec2:CreateRoute",
"ec2:RevokeSecurityGroupEgress",
"ec2:ModifyVpcAttribute",
"ec2:DeleteInternetGateway",
"ec2:DeleteLaunchTemplateVersions",
"ec2:ModifyInstanceAttribute",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:DeleteLaunchTemplate",
"ec2:TerminateInstances",
"ec2:ImportKeyPair",
"ec2:CreateTags",
"ec2:ImportSnapshot",
"ec2:DeleteRoute",
"ec2:DetachInternetGateway",
"ec2:StopInstances",
"ec2:DisassociateRouteTable",
"ec2:CreateLaunchTemplateVersion",
"ec2:RevokeSecurityGroupIngress",
"ec2:DeleteSecurityGroup",
"ec2:ModifyLaunchTemplate",
"ec2:DeleteKeyPair",
"ec2:AssociateIamInstanceProfile"
],
"Resource": "*"
},
{
"Sid": "VisualEditor5",
"Effect": "Allow",
"Action": "ec2:CreateTags",
"Resource": [
"arn:aws:ec2:*:{{account-id}}:network-interface/*",
"arn:aws:ec2:us-west-2:{{account-id}}:vpc/{{VPC_ID}}",
"arn:aws:ec2:*:{{account-id}}:key-pair/*",
"arn:aws:ec2:*:{{account-id}}:launch-template/*",
"arn:aws:ec2:*:{{account-id}}:instance/*",
"arn:aws:ec2:us-west-2:{{account-id}}:route-table/*",
"arn:aws:ec2:*:{{account-id}}:volume/*",
"arn:aws:ec2:*:{{account-id}}:subnet/*"
],
"Condition": {
"StringEquals": {
"ec2:CreateAction": [
"CreateVolume",
"RunInstances",
"CreateSecurityGroup",
"CreateKeyPair",
"launch-template",
"network-interface",
"CreateTags",
"CreateSubnet",
"CreateRouteTable"
]
}
}
},
{
"Sid": "VisualEditor6",
"Effect": "Allow",
"Action": "ec2:CreateSecurityGroup",
"Resource": "arn:aws:ec2:*:{{account-id}}:vpc/*"
},
{
"Sid": "VisualEditor7",
"Effect": "Allow",
"Action": [
"ec2:CreateSecurityGroup",
"ec2:CreateTags"
],
"Resource": [
"arn:aws:ec2:*:{{account-id}}:security-group/*",
"arn:aws:ec2:*:{{account-id}}:network-interface/*",
"arn:aws:ec2:*:{{account-id}}:launch-template/*",
"arn:aws:ec2:*:{{account-id}}:elastic-ip/*",
"arn:aws:ec2:*::snapshot/*"
]
},
{
"Sid": "VisualEditor8",
"Effect": "Allow",
"Action": [
"ec2:DeleteSubnet",
"ec2:CreateTags",
"ec2:CreateRouteTable",
"ec2:AssociateSubnetCidrBlock",
"ec2:CreateSubnet"
],
"Resource": [
"arn:aws:ec2:us-west-2:{{account-id}}:vpc/{{VPC_ID}}",
"arn:aws:ec2:us-west-2:{{account-id}}:route-table/*",
"arn:aws:ec2:*:{{account-id}}:subnet/*"
]
},
{
"Sid": "VisualEditor9",
"Effect": "Allow",
"Action": "ec2:CreateVolume",
"Resource": "arn:aws:ec2:*::snapshot/*"
},
{
"Sid": "VisualEditor10",
"Effect": "Allow",
"Action": [
"elasticfilesystem:CreateMountTarget",
"elasticfilesystem:Describe*"
],
"Resource": "*"
},
{
"Sid": "VisualEditor11",
"Effect": "Allow",
"Action": [
"elasticfilesystem:CreateFileSystem",
"elasticfilesystem:CreateAccessPoint",
"elasticfilesystem:CreateTags"
],
"Resource": "*"
},
{
"Sid": "VisualEditor13",
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": [
"arn:aws:iam::{{account-id}}:role/{{WORKER_INSTANCE_PROFILE_ROLE}}",
"arn:aws:iam::{{account-id}}:role/{{MASTER_INSTANCE_PROFILE_ROLE}}"
]
},
{
"Sid": "VisualEditor14",
"Effect": "Allow",
"Action": "sts:DecodeAuthorizationMessage",
"Resource": "*"
},
{
"Sid": "VisualEditor18",
"Effect": "Allow",
"Action": [
"autoscaling:DescribeScalingActivities",
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeTags"
],
"Resource": [
"arn:aws:autoscaling:*:{{account-id}}:launchConfiguration:*:launchConfigurationName/a*",
"arn:aws:autoscaling:*:{{account-id}}:autoScalingGroup:*:autoScalingGroupName/*"
]
},
{
"Sid": "VisualEditor19",
"Effect": "Allow",
"Action": "elasticloadbalancing:*",
"Resource": [
"arn:aws:elasticloadbalancing:*:{{account-id}}:targetgroup/*",
"arn:aws:elasticloadbalancing:*:{{account-id}}:listener/*",
"arn:aws:elasticloadbalancing:*:{{account-id}}:listener/app/*",
"arn:aws:elasticloadbalancing:*:{{account-id}}:listener-rule/app/*",
"arn:aws:elasticloadbalancing:*:{{account-id}}:listener/net/*",
"arn:aws:elasticloadbalancing:*:{{account-id}}:listener-rule/net/*",
"arn:aws:elasticloadbalancing:*:{{account-id}}:loadbalancer/*",
"arn:aws:elasticloadbalancing:*:{{account-id}}:loadbalancer/app/*",
"arn:aws:elasticloadbalancing:*:{{account-id}}:loadbalancer/net/*"
]
},
{
"Sid": "VisualEditor20",
"Effect": "Allow",
"Action": "elasticloadbalancing:*",
"Resource": [
"arn:aws:elasticloadbalancing:*:{{account-id}}:loadbalancer/net/iics-qa-*/*",
"arn:aws:elasticloadbalancing:*:{{account-id}}:listener/net/iics-qa-*/*/*",
"arn:aws:elasticloadbalancing:*:{{account-id}}:loadbalancer/iics-qa-*",
"arn:aws:elasticloadbalancing:*:{{account-id}}:listener/iics-qa-*/*/*",
"arn:aws:elasticloadbalancing:*:{{account-id}}:targetgroup/iics-qa-*/*",
"arn:aws:elasticloadbalancing:*:{{account-id}}:listener-rule/app/iics-qa-*/*/*/*",
"arn:aws:elasticloadbalancing:*:{{account-id}}:loadbalancer/app/iics-qa-*/*",
"arn:aws:elasticloadbalancing:*:{{account-id}}:listener-rule/net/iics-qa-*/*/*/*",
"arn:aws:elasticloadbalancing:*:{{account-id}}:listener/app/iics-qa-*/*/*"
]
},
{
"Sid": "VisualEditor21",
"Effect": "Allow",
"Action": "secretsmanager:*",
"Resource": "arn:aws:secretsmanager:*:{{account-id}}:secret:*"
}
]
}

Step 2. Create a cluster installer role

In AWS, create an IAM role for the cluster installer and give it a name such as cluster_installer_role.
When creating the cluster installer role, select the following options:
Trusted entity type
Use Case
AWS
EC2
AWS automatically creates an instance profile with the same name as the role.
For instructions about creating an IAM role, refer to the AWS documentation. AWS provides several ways to create an IAM role, such as using the AWS Management Console or the AWS CLI.

Step 3. Attach the cluster installer role to the master node

After you've created the cluster installer role, attach it to the master node to make it available to the EC2 instance.
On your master node, specify the cluster installer role in the following location:
  1. 1In the EC2 console, select Instances and then launch an instance.
  2. 2Expand Advanced details.
  3. 3In the IAM instance profile field, select your cluster installer role.

Step 4. Create a worker node policy

Create an IAM policy for the worker node role and give it a name such as worker_node_policy. The worker node policy contains the permissions that allow worker nodes to operate within an elastic runtime environment.
You can download the JSON file from the Elastic runtime environment IAM policy JSON files Knowledge article.
For more information about IAM policies, refer to the AWS documentation.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DescribeActions",
"Effect": "Allow",
"Action": [
"elasticfilesystem:DescribeAccessPoints",
"elasticfilesystem:DescribeFileSystems",
"elasticfilesystem:DescribeMountTargets",
"ec2:DescribeAvailabilityZones",
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeAutoScalingInstances",
"autoscaling:DescribeLaunchConfigurations",
"autoscaling:DescribeTags",
"ec2:DescribeInstances",
"ec2:DescribeLaunchTemplateVersions",
"ec2:DescribeTags"
],
"Resource": "*"
},
{
"Sid": "AutoscalingCapacity",
"Effect": "Allow",
"Action": [
"autoscaling:SetDesiredCapacity",
"autoscaling:TerminateInstanceInAutoScalingGroup"
],
"Resource": "*"
},
{
"Sid": "SecretsManagerAccess",
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": "*"
}
]
}

Step 5. Create a worker node role

In AWS, create an IAM role for the worker node and give it a name such as worker_node_role.
The worker node role provides AWS permissions required for the node to interact with core AWS services such as EC2, Auto Scaling, EFS, and Secrets Manager.
When creating the worker node role, select the following options:
Trusted entity type
Use Case
AWS
EC2
AWS automatically creates an instance profile with the same name as the role.
For instructions about creating an IAM role, refer to the AWS documentation. AWS provides several ways to create an IAM role, such as using the AWS Management Console or the AWS CLI.
Tip: Note the name of this worker node role. You'll need to enter this value into the Worker Instance Profile field of your elastic runtime environment environment configuration. For more information, see Environment configuration.