Setting up cloud resources for reduced permissions mode

Learn how to activate environments on AWS using the reduced permissions mode in Cloudera Data Warehouse. In this mode, you must manually create and delete the CloudFormation stack in the AWS Console.

Required role: EnvironmentAdmin or PowerUser

When you activate an AWS environment for Cloudera Data Warehouse, if you do not have the standard required IAM permissions, the following message displays in the environment tile of the Cloudera Data Warehouse UI, which provides a link to the AWS Console:

Click the link and perform the following listed steps to navigate
to the AWS Console and create the CloudFormation stack.

Because you need to use the AWS Console to manually create your CloudFormation stack for Cloudera Data Warehouse environment activation, in another browser tab, log into your AWS account before you begin. Make sure that the IAM entity logged in has the two AWS restricted policies described in "AWS restricted policies".
You must also have the AWS CLI and the kubectl CLI configured and available on your system to apply the kubeconfig that Cloudera Data Warehouse provides in Step 10 below.

important

Make sure you have the time to complete the task of creating your CloudFormation stack in reduced permissions mode in one sitting. This can take up to 20 minutes. Otherwise, if the creation process outlined below is delayed in the AWS Console for more than an hour, the Cloudera Data Warehouse environment activation times out and the environment will go into an error state.
Make sure that the IAM entity you use to log into the AWS Console has adequate permissions to create CloudFormation stacks and to run kubectl commands on your AWS environment.
Make note of the name of the IAM entity you use because you must use it to log in using a terminal window again in Step 10c. of the following procedure.

In the Cloudera Data Warehouse UI Overview page, go to the Environments tab.
Locate the environment you want to activate, and click Activate.
If the system detects that you do not have the standard required IAM permissions on your AWS account for automatic CloudFormation stack creation by Cloudera Data Warehouse, it displays the following message in the tile:
```
Step 1 of 2: Insufficient permissions! Visit AWS Console to Create Stack
and come back. Creating a stack will take up to 15 minutes.
```
This message asks you to navigate to the AWS Console to manually create the CloudFormation stack.
Click the link Visit AWS Console to Create Stack and the AWS Console opens on the CloudFormation > Stacks > Create Stack page that is pre-populated with a template in another browser tab.
In the Create Stack page, click Next to advance to the Specify stack details page.

important
Do not change any configurations on the Specify stack details page, including the Stack Name.
In the Specify stack details page, click Next to advance to the Configure stack options page where you can specify the required tags for your stack resources. See "Required tags for CloudFormation stacks," which is linked to at the bottom of this page for a list of required tags.
After adding the required tags, do not set the remaining options on the page. Scroll down to the bottom of the page and click Next to advance to the Review <env-stack-name> page.
On the Review <env-stack-name> page, scroll down to the bottom, click the I acknowledge that AWS CloudFormation might create IAM resources check box, and then click Create Stack.

note
Stack creation can take up to 20 minutes depending on network traffic and load. The Cloudera Data Warehouse UI monitors AWS stack creation and displays a "Creating" message in the environment tile.
After stack creation has completed, a message displays in the Cloudera Data Warehouse UI environment tile. Click the Open Configurations link and a Configurations dialog box displays.
In the Configurations dialog box, perform the following steps:
1. Copy the Kubeconfig text to your system clipboard and save it into a text file on your system.
2. Copy the Aws Auth text to your system clipboard and save it into a text file on your system. The Aws Auth text provides the IAM cross-account role that is registered in Cloudera to access the EKS cluster on AWS after you perform the kubectl command in the next step.
3. In a terminal window, verify that the AWS CLI is configured to use the same IAM entity that you used to create the CloudFormation stack in Step 8. Then, using the kubectl CLI, run the following commands to apply configurations from the two text files that you created in Step 10b:
```
$> export KUBECONFIG=<path-to-the-Kubeconfig-text-file>
```
```
$> kubectl apply -f <path-to-the-Aws-Auth-text-file>
```
Look for shell output "configmap/aws-auth created" to confirm the configuration was applied correctly.

If you deployed the CloudFormation stack with a federated user using the AWS console, you need to execute the commands mentioned in 10c (above) in the AWS CloudShell. You might need to manually install the kubectl command in the CloudShell.
Back in the Cloudera Data Warehouse UI Configurations dialog box, select Yes, Kubeconfig and AWS Auth configuration are applied checkbox, and then click Finish Activation.

After clicking Finish Activation, the environment is activated and the tile displays a starting message.