Note: Creating the IAM policy, role, and instance profile for a OneFS cluster is a one-time activity for the same AWS account. The profiles are reusable for deploying more additional clusters.
Cluster nodes require an instance profile attached. The minimum permissions required is ec2:AssignPrivateIpAddresses on network interfaces, which is defined in the onefs-runtime-policy.json.
AWS CLI instructions
- Save the onefs-runtime-policy.json content as a .json file named onefs-runtime-policy.json, and replace the <aws_account_id> with your AWS account ID.
- Open your OS CLI, which has the AWS CLI ready (Windows CMD in this guide) and change your current directory to C:\json-files-template. In this guide, we use C:\json-files-template as an example directory which stores all required .json files.
> cd C:\json-files-template
- Create the IAM policy and write down the Policy.Arn field of the created policy. It is arn:aws:iam::551948851026:policy/onefs-runtime-policy in the following output example.
> aws iam create-policy --policy-name onefs-runtime-policy --policy-document file://onefs-runtime-policy.json
Command output example:
{
"Policy": {
"PolicyName": "onefs-runtime-policy",
"PolicyId": "ANPAYBAVXC5JA25QNSXQA",
"Arn": "arn:aws:iam::55194881026:policy/onefs-runtime-policy",
"Path": "/",
"DefaultVersionId": "v1",
"AttachmentCount": 0,
"PermissionsBoundaryUsageCount": 0,
"IsAttachable": true,
"CreateDate": "2022-11-17T08:14:23+00:00",
"UpdateDate": "2022-11-17T08:14:23+00:00"
}
}
- Create the IAM assume role.
> aws iam create-role --role-name onefs-runtime-role --assume-role-policy-document file://onefs-runtime-assume-role.json
- Using the policy ARN from step 3 to attach the policy to the role.
> aws iam attach-role-policy --role-name onefs-runtime-role --policy-arn arn:aws:iam::551948851026:policy/onefs-runtime-policy
- Now create the instance profile named onefs-runtime-instance-profile.
> aws iam create-instance-profile --instance-profile-name onefs-runtime-instance-profile
- Finally attach the role to the instance profile.
> aws iam add-role-to-instance-profile --instance-profile-name onefs-runtime-instance-profile --role-name onefs-runtime-role
AWS Management Console instructions
- Sign into the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
- In the navigation pane on the left, choose Policies, and then choose Create policy.
- Choose the JSON tab.
- Copy the contents of onefs-runtime-policy.json, and replace the <aws_account_id> with your AWS account ID.
- Paste the modified contents of onefs-runtime-policy.json to the JSON tab. See the example in Figure 3.
Figure 3. OneFS runtime policy
- Choose Next: Tags.
- Choose Next: Review.
- On the Review policy page, type “onefs-runtime-policy” in the Name field. Then choose Create policy to complete the creation.
- Next, we will create an IAM role. Open the IAM console and in the navigation pane on the left, choose Roles, and then choose Create role.
- Under the Select trusted entity, choose AWS service for Trusted entity type, and choose EC2 for Use case. Then, choose Next.
- Search for the IAM policy onefs-runtime-policy and select the policy, then choose Next.
Figure 4. Add IAM policy
- Type onefs-runtime-role for the Role name field.
- Scroll down to the end and choose Create role to finish creating the role.
Note: When you use the AWS Management Console to create a role for Amazon EC2, the console automatically creates an instance profile and gives it the same name as the role. Now you also have an instance profile created named onefs-runtime-role. For more details, see the AWS documentation Using instance profiles.