Prerequisites¶
Specialized Knowledge¶
Before deploying and operating SMARTUNIFIER Instances using AWS Fargate, it is recommended that you become familiar with the following AWS services. (If you are new to AWS, see Getting Started with AWS)
You should also be familiar with the used Communication Channel and its capabilities of the deployed SMARTUNIFIER Instance.
AWS Resources¶
For the deployment of SMARTUNIFIER Instances on AWS Fargate the following resources are required:
Amazon S3 - Bucket¶
SMARTUNIFIER is using an Amazon S3 Bucket to upload Instances in an archive file format. We recommend to create a private Bucket dedicated for the SMARTUNIFIER.
AWS VPC and Subnets¶
In order for SMARTUNIFIER to deploy Instances your AWS account a VPC and Subnets are needed. Please note that the Default VPC should not be used.
Amazon ECS - Cluster¶
SMARTUNIFIER is using AWS Fargate for the deployment of Instances on the AWS Cloud. Therefor an ECS Cluster is required. We recommend to create one Cluster dedicated for SMARTUNIFIER deployed Instances.
AWS ECR - Repository¶
SMARTUNIFIER is using an AWS ECR repository in order to push Docker Images, which is created by an AWS CodeBuild project. We recommend to create one repository dedicated for SMARTUNIFIER Instance images.
IAM - User¶
SMARTUNIFIER complies with the security best practices in IAM and does not need root privileges. We recommend to create one user dedicated for SMARTUNIFIER. The IAM user follows the general rule of least privileges and allows only policies needed for the deployment of SMARTUNIFIER Instances.
Create the IAM user by following the steps described in the AWS IAM documentation the IAM dashboard. The IAM user for SMARTUNIFIER must use the AWS access type programmatic access.
Attach the following permission:
Policy ARN |
Description |
---|---|
arn:aws:iam::aws:policy/AmazonS3FullAccess |
Provides full access to all buckets via the AWS Management Console. |
arn:aws:iam::aws:policy/AWSCodeBuildAdminAccess |
Provides full access to AWS CodeBuild via the AWS Management Console. Also attach AmazonS3ReadOnlyAccess to provide access to download build artifacts, and attach IAMFullAccess to create and manage the service role for CodeBuild. |
arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryFullAccess |
Provides administrative access to Amazon ECR resources. |
arn:aws:iam::aws:policy/AmazonECS_FullAccess |
Provides administrative access to Amazon ECS resources and enables ECS features through access to other AWS service resources, including VPCs, Auto Scaling groups, and CloudFormation stacks. |
arn:aws:iam::aws:policy/CloudWatchFullAccess |
Provides full access to CloudWatch. |
Programmatic system credentials
SMARTUNIFIER needs the set up of a credential profile in order to deploy Instances on AWS Fargate. We recommend to create a new access key after 90 days.
[default]
aws_access_key_id = your_access_key_id
aws_secret_access_key = your_secret_access_key
IAM Role - AWS CodeBuild Service Role¶
CodeBuild requires a service to interact with dependent AWS services:
Access to Amazon S3 to retrieve SMARTUNIFIER Instance artifacts - such as libraries and configuration files.
Access to AWS ECR to push the container image in the specified repository
Create the following IAM Role via the AWS console.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "CloudWatchLogsPolicy",
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": [
"*"
]
},
{
"Sid": "CodeCommitPolicy",
"Effect": "Allow",
"Action": [
"codecommit:GitPull"
],
"Resource": [
"*"
]
},
{
"Sid": "S3GetObjectPolicy",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:GetObjectVersion"
],
"Resource": [
"*"
]
},
{
"Sid": "S3PutObjectPolicy",
"Effect": "Allow",
"Action": [
"s3:PutObject"
],
"Resource": [
"*"
]
},
{
"Sid": "ECRPullPolicy",
"Effect": "Allow",
"Action": [
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage"
],
"Resource": [
"*"
]
},
{
"Sid": "ECRAuthPolicy",
"Effect": "Allow",
"Action": [
"ecr:GetAuthorizationToken"
],
"Resource": [
"*"
]
},
{
"Sid": "S3BucketIdentity",
"Effect": "Allow",
"Action": [
"s3:GetBucketAcl",
"s3:GetBucketLocation"
],
"Resource": "*"
}
]
}