Unverified Commit f5bc2802 authored by Agustin  Larreinegabe's avatar Agustin Larreinegabe Committed by GitHub
Browse files

Merge pull request #29 from bonitasoft/feat/cluster_role_BCD-193

feat: use iam role for cluster autodiscovery (fix BCD-193)
parents 654bf7a2 0ebfc7f9
......@@ -68,9 +68,51 @@ The following steps are required to set up AWS credentials for Ansible automatio
]
}
```
1. Create an IAM Policy to give [PassRole](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_passrole.html) permission in order to be able to associate a specific role with the EC2 instances of a cluster.
- **Policy name**: IAMPassRole
- **Policy document**:
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "iam:PassRole",
"Effect": "Allow",
"Resource": "*"
}
]
}
```
1. [Create an IAM Group](http://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups_create.html)
- **Group name**: bonita-provisioning
- Select the IAM Policies created previously
1. Create an IAM Policy to allow ec2 instances of a cluster to autodiscover themselves on a specific region (eg. us-west-2).
- **Policy name**: ClusterBCD_us-west-2
- **Policy document**:
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ec2:DescribeInstances"
],
"Effect": "Allow",
"Resource": "*",
"Condition": {
"StringEquals": {
"ec2:Region": "us-west-2"
}
}
}
]
}
```
Pay attention that for security reasons, pushing AWS user credentials to EC2 instances, as done with BCD 1.0.x, are no longer supported.
1. [Create an IAM Role for an AWS service](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-service.html)
- Select EC2 to "Allows EC2 instances to call AWS services on your behalf."
- Select the IAM Policy created previously (ClusterBCD_us-west-2)
- **Role name**: ClusterBCD
1. [Create an IAM User](http://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html)
- **Access type**: Programmatic access
- Add user to the IAM group created previously
......
......@@ -37,6 +37,7 @@ In case of AWS deployments. The configuration file value should be ```aws_vars`
|ec2_security_group_name|Y | |Security group name for the target instances |default|
|ec2_subnet_ids|Y | |Subnet id for the target instances |subnet-aa14e0cf|
|ec2_keypair|Y | |Key pair name for the target instances. Linked to ansible_private_key_file. |jenkins_ansible_us-west-2|
|ec2_discovery_iam_role|N| |Name of the IAM role to attach to EC2 instances to allow Hazelcast EC2 auto-discovery. This is MANDATORY when deploying a Bonita cluster on AWS with BCD.|ClusterBCD|
|boto_path|N|~/.boto|Path to the Boto file with the AWS credentials.||
|rds|N|false|Precises if we use RDS for the Bonita BPM databases or if we use a Docker container deployed in an EC2 instance instead (default)|true|
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment