Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • Create a Databricks service principal or select one already available

  • Determine a DNS name for the application vmVM, register a domain name if applicable.

  • If you are using azure AD as an identity provider, create an app registration in your AAD tenant of choice.

    • Also create a client secret, saving the secret value as input while running the infrastructure setup script

...

  • Login to AWS Management Console.

  • The virtual machine created must have needs the three policies described below assigned to it. One suggested way would be to create a specific role for the VM and assign the three created policies to that role. The information below uses the ‘JSON’ view to enable faster policy creation

Info

If you are creating three new policies, prepending them with the same string will allow for easier retrieval when creating the role and assigning policiesselecting the policies assigned to it.

Allow read of cost and usage data

  • Navigate to the IAM console and create a new policy with the json described permissions below

Code Block
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "ce:GetCostAndUsage",
            "Resource": "*"
        }
    ]
}

Allow Read of created secret

  • Find the secret name in the script output and replace {SecretNameHere} with the secret name and {AWS account ID} with your account id

Info

You will need to update this policy definition with your aws account id ID and secret name for this policy definition.

Code Block
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "secretsmanager:GetSecretValue",
            "Resource": "arn:aws:secretsmanager:*:{AWS Account ID}:secret:{SecretNameHere}*"
        }
    ]
}

Allow management of DynamoDB and Simple Queue Service

  • Create the third policy:

Info

You will need to update this policy definition with your aws account ID.

Code Block
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "dynamodb:CreateTable",
                "sqs:DeleteMessage",
                "sqs:GetQueueUrl",
                "dynamodb:UpdateTimeToLive",
                "dynamodb:DescribeTable",
                "sqs:ReceiveMessage",
                "dynamodb:Scan",
                "dynamodb:Query",
                "sqs:CreateQueue"
            ],
            "Resource": [
                "arn:aws:dynamodb::{AWS account ID}:table/bplm*",
                "arn:aws:sqs::{AWS account ID}:bplm*"
            ]
        }
    ]
}

Allow s3 bucket tag get\set

Code Block
{
   "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "s3:GetBucketTagging",
                "s3:PutBucketTagging"
            ],
            "Resource": "arn:aws:s3:::*"
        }
    ]
}

Allow EC2 tag management

Info

You will need to update this policy definition with your aws account ID.

Code Block
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "ec2:DeleteTags",
                "ec2:CreateTags"
            ],
            "Resource": "arn:aws:ec2:*:{AWS Account ID}:natgateway/*"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeVpcs",
                "ec2:DescribeNatGateways"
            ],
            "Resource": "*"
        }
    ]
}

  • Once the role is created, navigate to the EC2 instance and assign the IAM role

    • Actions → Security → Modify IAM role

      • From here search for then select the IAM role and click ‘Update IAM role’

...