Deploy Scylla Cloud - Bring Your Own Account

This document instructs you on how to use the Scylla Cloud Bring Your Own Account (BYOA) wizard to set-up a Scylla Cloud managed cluster on your AWS account. Scylla Cloud BYOA enables Scylla Cloud customers to have cloud resources allocated by their own AWS accounts (as opposed to allocating it in a Scylla account). The wizard requires you to interact with and collect information from your AWS account and to paste information from the AWS screens into the Scylla Cloud wizard.

By the end of this procedure, you will be able to use Scylla Cloud to create ScyllaDB clusters using the resources from your AWS account.

You can choose to have a dedicated AWS sub-account for Scylla Cloud by using AWS Organizations and following the procedure using this dedicated account. If you choose not to use an AWS Organization and a dedicated account, you can follow this procedure in your main AWS account.

Caution

Deploying Scylla Cloud Bring Your Own Account grants access to your database resources. We strongly recommend not to change/remove any of the resources that you create for the Scylla Cloud role, or in its policies, to make sure that the database services are all properly set and functioning according to your company security policy.

Prerequisites

Before you begin:

  • Confirm you have filled in the registration page and signed up to Scylla Cloud service.

  • Confirm that your AWS account has the correct account limits (Instances, VPCs, Elastic IPs, Cloudformation Stacks, etc). See AWS Account Limits and AWS Credentials below.

Workflow

  1. Add AWS Account Details Add your AWS account details and start cluster creation process.

  2. Define a Boundary Policy for Scylla Cloud on your AWS account

  3. Create a Scylla Cloud policy for your AWS account

  4. Create a Scylla Cloud Role and give it specific privileges

  5. Create the cluster and set it to run Scylla Cloud from your AWS account

Add AWS Account Details

  1. From the My Clusters Screen, click Add New Cluster.

  2. In the Deployment drop-down, select Deploy the cluster in your own AWS account.

If BYOA is already defined, you can simply continue to choose your Scylla version and instance type. If BYOA is not defined, a wizard popup will guide you through setting up BYOA. #. Enter your AWS Account ID where indicated and click Get Started.

Define a Boundary Policy

  1. Define a policy to limit Scylla Cloud permissions in your AWS account. Use this policy file to define a new policy named ScyllaCloudBoundary. This policy will restrict Scylla Cloud’s permissions on your AWS account and will be used in further steps.

  2. From the AWS console, navigate to IAM Services > Policies and click Create Policy.

  3. Click the JSON tab.

  4. From the Scylla Cloud wizard, copy the json file by clicking the copy button.

  5. Paste the contents into the AWS json editor. From the AWS editor, click next.

  6. Click Review Policy.

  7. Navigate to the Policies main window, search for the ScyllaCloudBoundary policy and click on it to open the policy details.

  8. Copy the Policy ARN (output should be similar to the following example: arn:aws:iam::734708892259:policy/ScyllaCloudBoundary).

  9. In the Scylla Cloud wizard Boundary Policy ARN field, paste the Policy ARN you copied in the previous step.

  10. Confirm the details are correct in the Summary screen. Your screen should be similar to:

    ../../../_images/boundary-arn-summary.png
  11. Click Next: Create Cloud Policy.

Create a Scylla Cloud policy

Create a new policy ScyllaCloud to manage Scylla Cloud role and resources

  1. From the AWS console, navigate to IAM Services > Policies and click Create Policy

  2. Click the JSON tab.

  3. From the Scylla Cloud wizard, copy the json file by clicking the copy button.

  4. Paste the contents into the AWS json editor. From the AWS editor, click next.

  5. Click Review Policy.

  6. Where indicated name the policy ScyllaCloud (no other name can be used).

  7. Click Create Policy.

  8. Navigate to the Policies main window, search for the ScyllaCloud policy and click on it to open the policy details.

  9. Copy the Policy ARN (output should be similar to the following example: arn:aws:iam::734708892259:policy/ScyllaCloud).

  10. In the Scylla Cloud wizard Cloud Policy ARN field, paste the Policy ARN you copied in the previous step.

  11. Confirm the details are correct in the Summary screen. Your screen should be similar to:

    ../../../_images/policy-arn-summary.png
  12. Click Next: Create Role.

Create a Scylla Cloud Role

  1. From the AWS console, navigate to IAM > Roles and click on Create Role.

  2. When asked for a type of trusted entity, select Another AWS account and enter the Scylla Production Account ID - from the Scylla Cloud Wizard.

  3. Check Require external ID and fill in the following:

    • From the Scylla Cloud Wizard, copy the External ID by clicking the copy button and paste it into the AWS External ID field.

    • This string should be treated as a password and kept secure

    • Save the string as you will need to use it later

    Note

    Require MFA should NOT be checked

  4. From the AWS Create Role Screen, click Next: Permissions.

  5. Search for the policy ScyllaCloud and check it.

  6. Click Next: Add Tags and any other tags you want or you can just skip this step.

  7. Click Next: Review and fill in the following fields:

    • In Role Name Enter ScyllaCloud

    • Role Description is optional. Enter any description that makes sense to you, as this is only for your usage.

  8. Click Create Role. Make sure the ScyllaCloud role is listed in the new role ARN list.

  9. Navigate to the Roles main window, search for the ScyllaCloud role and click on it to open the policy details.

  10. Copy the Role ARN (example: arn:aws:iam::734708892259:role/ScyllaCloud).

  11. In the Scylla Cloud wizard Cloud Role ARN field, paste the Role ARN you copied in the previous step.

  12. Click Next: Complete the Cloud Account Setup.

  13. Confirm the details are correct in the Summary screen. Your screen should be similar to:

    ../../../_images/role-arn-summary.png
  14. Confirm you receive a success message or else you can restart the Scylla Cloud Wizard.

  15. Click Next: Complete the Cloud Account Setup.

Create the cluster

  1. From the Create Cluster screen, in the Deployment field, confirm Deploy the cluster in your own AWS account is selected and launch a new cluster. The cluster will run on your AWS account.

#. Validate from your AWS console that the instances are listed. Search for the tag Scylla Cloud to identify managed Scylla Cloud instances. Congratulations! You are done! You can now proceed to run a Scylla Cluster on your own Account. When the cluster is up and running, you will be able to see the running cluster from your EC2 console. Search for the tag Scylla Cloud to identify managed Scylla Cloud instances including ScyllaDB nodes, Scylla Monitor, and Scylla Manager.```

Note

The sections that follow are for reference purposes only. There is no need to execute them once the setup is complete.

AWS Account Limits

Make sure you add the following limits to your AWS account for the resources Scylla Cloud will use. Please make sure that you repeat the resource allocation for each region you plan to use. Note that the following numbers should be in addition to your existing resource allocation.

Use AWS Service Quotas to increase the following resources limits:

Service Name

Additional Requested Value

Quota Name

Amazon Virtual Private Cloud (Amazon VPC)

50

VPCs per region

Amazon Elastic Compute Cloud (Amazon EC2)

200

EC2-VPC Elastic IPs

Amazon Elastic Compute Cloud (Amazon EC2)

1000 (see note)

Running On-Demand Standard (A, C, D, H, I, M, R, T, Z) instances

Amazon Simple Storage Service (Amazon S3)

50

Buckets

AWS CloudFormation

100

Stack count

Note

You can use this helper script to quickly list relevant quotas for your account.

Note

1000 doesn’t represent the limit for the number of instances, but the limit for vCPUs. Any launched instance of any of the listed instance types (A, C, D, H, I, M, R, T, Z) contributes its vCPU count towards this quota. See more in this AWS blog.

AWS Credentials

Scylla Cloud requires the following credentials to manage its service while being deployed on your AWS account.

Purpose

Action

Scylla cloud will use this to restrict itself for only creating a new policy with access to its S3 backup and with no access to any other policy

  • iam:CreatePolicyVersion

  • iam:DeletePolicy

  • iam:DeletePolicyVersion

  • iam:SetDefaultPolicyVersion

Create/expend clusters

  • ec2:CreateKeyPair

  • ec2:ImportKeyPair

  • ec2:DeleteKeyPair cloudformation:ValidateTemplate

  • ec2:Describe*

  • ec2:allocateAddress

  • ec2:associateAddress

  • ec2:CreateInternetGateway

  • ec2:AttachInternetGateway

  • ec2:CreateVpc

  • ec2:ModifyVpcAttribute

  • ec2:createTags

  • ec2:CreateSecurityGroup

  • ec2:CreateSubnet

  • ec2:ModifySubnetAttribute

  • ec2:CreateRouteTable

  • ec2:AssociateRouteTable

  • ec2:CreateNetworkInterface

  • ec2:ModifyNetworkInterfaceAttribute

  • ec2:CreateRoute ec2:RunInstances

  • ec2:DescribeInstances

  • ec2:releaseAddress

  • ec2:disassociateAddress

  • ec2:DisassociateRouteTable

  • ec2:DeleteNetworkInterface

  • ec2:DeleteRoute

  • ec2:DeleteRouteTable

  • ec2:DeleteInternetGateway

  • ec2:CreateVpcPeeringConnection

  • ec2:AcceptVpcPeeringConnection

  • ec2:DeleteVpcPeeringConnection

Delete clusters

  • ec2:TerminateInstances

  • ec2:DeleteSecurityGroup

  • ec2:AuthorizeSecurityGroupIngress

  • ec2:RevokeSecurityGroupIngress

  • ec2:DetachInternetGateway

  • ec2:DeleteSubnet

  • ec2:DeleteVpc

  • cloudformation:DeleteStack

  • cloudformation:CreateStack

  • cloudformation:Describe*

Create a backup bucket on S3

  • s3:CreateBucket

  • s3:PutBucketTagging

Grant each Scylla instance access to its S3 backup bucket

  • iam:CreateRole

  • iam:AttachRolePolicy

  • iam:DetachRolePolicy

  • iam:PassRole

  • iam:CreatePolicy

  • iam:CreateInstanceProfile

  • iam:AddRoleToInstanceProfile

  • ec2:AssociateIamInstanceProfile

Validate that security policy is complete and up-to-date

  • iam:GetPolicy

  • iam:GetPolicyVersion