Deploying Cube Cloud BYOC on AWS
With Bring Your Own Cloud (BYOC) on AWS, all the components interacting with private data are deployed on the customer infrastructure on AWS and managed by the Cube Cloud Control Plane via the Cube Cloud Operator. This document provides step-by-step instructions for deploying Cube Cloud BYOC on AWS.
Prerequisites
The bulk of provisioning work will be done remotely by Cube Cloud automation. However, to get started, you'll need to provide Cube with the necessary access along with some additional information that includes:
- AWS Account ID: The AWS account ID of the target deployment account the AWS Console (opens in a new tab).
- AWS Region: The AWS region (opens in a new tab) where Cube Cloud resources should be deployed.
In addition to that, you'll need to make sure you have sufficient access to create
the CubeCloudBYOC IAM role that would allow Cube Cloud to:
- Create and manage a VPC
- Create one or more EKS clusters
- Create necessary IAM roles and policies
- Configure VPC networking
- Run ec2 instances
- Manage ec2 autoscaling
- Manage S3 buckets
- Manage CloudWatch Logs
Provisioning access
Create a CubeCloudBYOC policy
Navigate to IAM->Policies and create a new policy called CubeCloudBYOC
with the following JSON content. Please substitute AWS_ACCOUNT_ID with your
actual account ID.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeAutoScalingInstances",
"autoscaling:DescribeLaunchConfigurations",
"autoscaling:DescribeTags",
"ec2:DescribeAddresses",
"ec2:DescribeAddressesAttribute",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeInternetGateways",
"ec2:DescribeLaunchTemplateVersions",
"ec2:DescribeLaunchTemplates",
"ec2:DescribeNatGateways",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribePrefixLists",
"ec2:DescribeRegions",
"ec2:DescribeRouteTables",
"ec2:DescribeSecurityGroupRules",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeVpcAttribute",
"ec2:DescribeVpcClassicLink",
"ec2:DescribeVpcClassicLinkDnsSupport",
"ec2:DescribeVpcEndpointServiceConfigurations",
"ec2:DescribeVpcEndpoints",
"ec2:DescribeVpcPeeringConnections",
"ec2:DescribeVpcs",
"ec2:RunInstances",
"eks:DescribeCluster",
"eks:DescribeNodegroup",
"eks:ListClusters",
"iam:GetRole",
"sts:DecodeAuthorizationMessage"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": ["s3:*"],
"Resource": ["arn:aws:s3:::cube-store-*"]
},
{
"Effect": "Allow",
"Action": [
"ec2:AllocateAddress",
"ec2:CreateInternetGateway",
"ec2:CreateLaunchTemplate",
"ec2:CreateNatGateway",
"ec2:CreateRoute",
"ec2:CreateRouteTable",
"ec2:CreateSecurityGroup",
"ec2:CreateSubnet",
"ec2:CreateTags",
"ec2:CreateVpc",
"ec2:CreateVpcEndpoint",
"ec2:CreateVpcEndpointServiceConfiguration",
"ec2:CreateVpcPeeringConnection",
"eks:CreateCluster",
"eks:CreateNodegroup",
"iam:CreateOpenIDConnectProvider",
"iam:PassRole",
"iam:TagOpenIDConnectProvider",
"logs:CreateLogDelivery",
"kms:TagResource",
"kms:CreateKey"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:RequestTag/Created-By": "CubeCloud"
}
}
},
{
"Effect": "Allow",
"Action": [
"iam:AddRoleToInstanceProfile",
"iam:AttachRolePolicy",
"iam:CreateInstanceProfile",
"iam:CreateOpenIDConnectProvider",
"iam:CreatePolicy",
"iam:CreateRole",
"iam:CreateServiceLinkedRole",
"iam:DeleteInstanceProfile",
"iam:DeleteOpenIDConnectProvider",
"iam:DeletePolicy",
"iam:DeleteRole",
"iam:DeleteRolePolicy",
"iam:DeleteServiceLinkedRole",
"iam:DetachRolePolicy",
"iam:GetInstanceProfile",
"iam:GetOpenIDConnectProvider",
"iam:GetPolicy",
"iam:GetPolicyVersion",
"iam:GetRole",
"iam:GetRolePolicy",
"iam:ListAttachedRolePolicies",
"iam:ListInstanceProfilesForRole",
"iam:ListOpenIDConnectProviderTags",
"iam:ListPolicyVersions",
"iam:ListRolePolicies",
"iam:PassRole",
"iam:PutRolePolicy",
"iam:RemoveRoleFromInstanceProfile",
"iam:TagInstanceProfile",
"iam:TagOpenIDConnectProvider",
"iam:TagPolicy",
"iam:TagRole"
],
"Resource": [
"arn:aws:iam::{AWS_ACCOUNT_ID}:instance-profile/CubeCloud*",
"arn:aws:iam::{AWS_ACCOUNT_ID}:instance-profile/cubeapp-*",
"arn:aws:iam::{AWS_ACCOUNT_ID}:instance-profile/cube-store-*",
"arn:aws:iam::{AWS_ACCOUNT_ID}:oidc-provider/oidc.eks.*",
"arn:aws:iam::{AWS_ACCOUNT_ID}:policy/CubeCloud*",
"arn:aws:iam::{AWS_ACCOUNT_ID}:policy/cubeapp-*",
"arn:aws:iam::{AWS_ACCOUNT_ID}:role/CubeCloud*",
"arn:aws:iam::{AWS_ACCOUNT_ID}:role/cubeapp-*",
"arn:aws:iam::{AWS_ACCOUNT_ID}:role/cube-store-*"
],
"Condition": {
"StringEquals": {
"iam:ResourceTag/Created-By": "CubeCloud"
}
}
},
{
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:AWSServiceName": [
"eks.amazonaws.com",
"eks-nodegroup.amazonaws.com",
"eks-fargate.amazonaws.com"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"autoscaling:SetDesiredCapacity",
"autoscaling:TerminateInstanceInAutoScalingGroup"
],
"Resource": ["*"],
"Condition": {
"StringEquals": {
"autoscaling:ResourceTag/Created-By": "CubeCloud"
}
}
},
{
"Effect": "Allow",
"Action": ["eks:*", "kms:*"],
"Resource": ["*"],
"Condition": {
"StringEquals": {
"aws:ResourceTag/Created-By": "CubeCloud"
}
}
},
{
"Effect": "Allow",
"Action": ["ec2:*"],
"Resource": ["*"],
"Condition": {
"StringEquals": {
"ec2:ResourceTag/Created-By": "CubeCloud"
}
}
}
]
}Creating a role
Navigate to IAM->Roles and create a new Role called CubeCloudBYOC. Select
AWS Account as the Trusted entity. Type and enter
arn:aws:iam::307491255751:root, which is the Cube Cloud BYOC provisioner
account. On the Add permissions page, find and select the CubeCloudBYOC
policy you created earlier. On the final Review and create page, edit the
Trust Policy to make it look like this.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::307491255751:root"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "cube-cloud-byoc"
}
}
}
]
}Make sure to include "sts:ExternalId": "cube-cloud-byoc" in the Condition section.
Deployment
The actual deployment will be done by Cube Cloud automation. All that's left to do is notify your Cube contact point that access has been granted, and pass along your Region/AWS Account ID information.