Cross Account Linking
The first Accelerator user in an organization must set up cross account linking. Doing so gives Vertica Accelerator permission to create and manage the required AWS resource stack to administer your databases. This permission can be granted by either using the AWS Quick-Create Stack wizard or by uploading a creating and uploading a template (CFT) on AWS CloudFormation. This permission allows Accelerator to assume a cross-account IAM role and perform commands in AWS on your behalf. It also grants permission to create, edit, and delete your AWS resources linked to Accelerator by creating 5 IAM policies and 1 IAM role.
Cross Account linking is a one-time set up for your entire organization.
Prerequisites
To establish a cross account link, you will need full IAM permissions. These permissions are held and granted by the AWS account holder.
If you are not the AWS account holder for your organization, you must contact the account holder and ask them to complete that part of the set up. Otherwise, that person must grant you the Administrator Access policy.
Providing Account Details
After you have confirmed the prerequisites, you will be asked to provide account details. As part of this process, in the Accelerator UI you will you be prompted to enter the following:
- AWS account ID: Find the 12-digit Account ID on the AWS console by clicking on your username in the right-hand corner, or use AWS CLI or API*.
- S3 bucket prefix: This string will be used as a prefix for naming all new S3 buckets created by Vertica Accelerator for your organization.*
Next, there are three options for setting up the AWS cross account link:
- AWS Quick-Create Stack
- Upload a Custom CFT File
- AWS CLI
On Accelerator’s “Cross Account Access” page, choose one of the above three options and follow the on-screen instructions to set up the AWS Cross Account link.
IAM Roles
Accelerator creates 5 IAM policies and attaches all policies to 1 IAM Role.
The policies are:
- vertica_bucket_management_policy: To create, list, and remove S3 bucket which will be created to store your data.
Note: Accelerator cannot monitor or delete s3 buckets other than those starting with vertica_* in your account.
Only resources following a set naming pattern (vertica_customer-name_region-database_name) can be managed by us.
-
vertica_cloudwatch_management_policy: To manage CloudWatch events. Accelerator needs to receive events from your account in order to monitor the status of nodes.
-
vertica_iam_management_policy: To create these 5 policies and IAM role that Accelerator creates using CFT.
-
vertica_lambda_management_policy: Accelerator runs lambda functions in order to manage the resource which are created by us only.
-
vertica_vpc_ec2_management_policy: When Accelerator creates nodes as specified in the UI, it creates EC2 instances in your account. In order to manage (launch, terminate, start, stop, and hibernate) these EC2 instances, Accelerator requires some permissions.
Note: All our permissions either have specific resource (vertica_*) or specific naming pattern (vertica_* or *_vertica) to manage resource that are created for Accelerator. We always try to minimize permission that customers provide us. Accelerator won't manage or track any other resource which are not created by Vertica Accelerator. Accelerator cannot view your account settings, but it can launch instances required to run your nodes.