Redis Labs Documentation > Redis Cloud > How Tos > Creating an AWS User

Creating an AWS User

Redis Cloud automatically manages your cluster and provisions instances when needed. In order for Redis Cloud to be able to manage AWS resources, you must have an AWS account that is separate from your AWS application account and a user on that separate AWS account.

Within that new AWS account, you need to create an instance role and a user with a specific policy. The user requires both UI console access and an Access Key so that Redis Cloud can programmatically create and manage AWS resources on your behalf. After you create the user, generate an Access Key for the user and save the key in a secure location. These keys are required when you create an Redis Cloud account.

Warning -

We use the provided credentials to configure your AWS environment and provision required resources.

We cannot operate or manage your database if you do these actions:

Manually change the configurations of provisioned resources, such as security groups
Manually stop or terminate provisioned instances

For more about creating an AWS user, see the AWS documentation.

Step 1: Create the IAM Instance Policy

First, create a policy to use for the new instance role:

In the AWS IAM console, go to Policies > Create policy.

In the JSON tab, paste the contents of the RedisLabsInstanceRolePolicy.json policy file.

View RedisLabsInstanceRolePolicy.json

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "EC2",
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeAvailabilityZones",
                "ec2:DescribeRegions",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeTags",
                "ec2:DescribeVolumes"
            ],
            "Resource": "*"
        },
        {
            "Sid": "EC2Tagged",
            "Effect": "Allow",
            "Action": [
                "ec2:AuthorizeSecurityGroupEgress",
                "ec2:AuthorizeSecurityGroupIngress",
                "ec2:DeleteSecurityGroup",
                "ec2:RevokeSecurityGroupEgress",
                "ec2:RevokeSecurityGroupIngress"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "ec2:ResourceTag/RedisLabsIdentifier": "Redislabs-VPC"
                }
            }
        },
        {
            "Sid": "EBSVolumeActions",
            "Effect": "Allow",
            "Action": [
                "ec2:AttachVolume",
                "ec2:CreateVolume",
                "ec2:CreateTags",
                "ec2:DescribeTags"
            ],
            "Resource": "*"
        },
        {
            "Sid": "S3Object",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:PutObjectAcl",
                "s3:GetObject",
                "s3:GetObjectAcl",
                "s3:DeleteObject",
                "s3:ListBucket",
                "s3:GetBucketLocation"
            ],
            "Resource": "*"
        },
        {
            "Sid": "IAM",
            "Effect": "Allow",
            "Action": [
                "iam:GetPolicy",
                "iam:ListPolicies"
            ],
            "Resource": "*"
        }
    ]
}

Validate it and press Review Policy.
Enter RedisLabsInstanceRolePolicy as the policy name and click Create Policy.

Step 2: Create the Role

Now create the role that uses the policy:

In AWS IAM console, go to Roles and click Create Role.
Select AWS Service as the trusted entity, EC2 as the service and use case, and click Next: Permissions.
Enter RedisLabsInstanceRolePolicy in the search box to lookup the policy we just created, select it, and click Next: Review.
Name the role redislabs-cluster-node-role and click Create Role.

Step 3: Create the User Policy

Now create a policy to assign to the user:

In AWS IAM console, go to Policies > Create policy.

In the JSON tab, paste the contents of the redislabsIAMUserRestrictedPolicy.json policy file.

View RedislabsIAMUserRestrictedPolicy.json

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Ec2DescribeAll",
            "Effect": "Allow",
            "Action": "ec2:Describe*",
            "Resource": "*"
        },
        {
            "Sid": "CloudWatchReadOnly",
            "Effect": "Allow",
            "Action": [
                "cloudwatch:Describe*",
                "cloudwatch:Get*",
                "cloudwatch:List*"
            ],
            "Resource": "*"
        },
        {
            "Sid": "IamUserOperations",
            "Effect": "Allow",
            "Action": [
                "iam:GetUser",
                "iam:GetUserPolicy",
                "iam:ChangePassword"
            ],
            "Resource": "arn:aws:iam::*:user/${aws:username}"
        },
        {
            "Sid": "RolePolicyUserReadActions",
            "Action": [
                "iam:GetRole",
                "iam:GetPolicy",
                "iam:ListUsers",
                "iam:ListPolicies",
                "iam:ListRolePolicies",
                "iam:ListAttachedRolePolicies",
                "iam:ListInstanceProfiles",
                "iam:ListInstanceProfilesForRole",
                "iam:SimulatePrincipalPolicy"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Sid": "KeyPairActions",
            "Effect": "Allow",
            "Action": [
                "ec2:CreateKeyPair",
                "ec2:DeleteKeyPair",
                "ec2:ImportKeyPair"
            ],
            "Resource": "*"
        },
        {
            "Sid": "CreateInstancesVolumesAndTags",
            "Effect": "Allow",
            "Action": [
                "ec2:CreateVolume",
                "ec2:AttachVolume",
                "ec2:StartInstances",
                "ec2:RunInstances",
                "ec2:CreateTags"
            ],
            "Resource": "*"
        },
        {
            "Sid": "PassRlClusterNodeRole",
            "Effect": "Allow",
            "Action": "iam:PassRole",
            "Resource": "arn:aws:iam::*:role/redislabs-cluster-node-role"
        },
        {
            "Sid": "NetworkAccess",
            "Effect": "Allow",
            "Action": [
                "ec2:*Vpc*",
                "ec2:*VpcPeering*",
                "ec2:*Subnet*",
                "ec2:*Gateway*",
                "ec2:*Vpn*",
                "ec2:*Route*",
                "ec2:*Address*",
                "ec2:*SecurityGroup*",
                "ec2:*NetworkAcl*",
                "ec2:*DhcpOptions*"
            ],
            "Resource": "*"
        },
        {
            "Sid": "DeleteInstancesVolumesAndTagsWithIdentiferTag",
            "Effect": "Allow",
            "Action": [
                "ec2:RebootInstances",
                "ec2:StopInstances",
                "ec2:TerminateInstances",
                "ec2:DeleteVolume",
                "ec2:DetachVolume",
                "ec2:DeleteTags"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "ec2:ResourceTag/RedisLabsIdentifier": "Redislabs-VPC"
                }
            }
        },
        {
            "Sid": "Support",
            "Effect": "Allow",
            "Action": "support:*",
            "Resource": "*"
        }
    ]
}

Validate the policy and click Review Policy.
Enter RedislabsIAMUserRestrictedPolicy as the policy name and click Create Policy.

Step 4: Create the User

Last, create a user and attach the policy you created:

In AWS IAM console, go to Users > select Add user.
Name it redislabs-user and select both Programmatic access and AWS Management Console access.
Set a password or auto-generate one, and click Next: Permissions.
Select Attach existing policies directly and select RedislabsIAMUserRestrictedPolicy from the list.
Click Next: Review.
Click Create user.
Download the user credentials and store them in a secure location.

Edit on GitHub

Top