Setting up cloud resources for reduced permissions mode
Learn how to activate environments on AWS using the reduced permissions mode in Cloudera Data Warehouse (CDW). In this mode, you must manually create and delete the CloudFormation stack in the AWS Console.
Required role: EnvironmentAdmin or PowerUser
When you activate an AWS environment for CDW, if you do not have the standard required IAM permissions, the following message displays in the environment tile of the CDW UI, which provides a link to the AWS Console:
Click the link and perform the following listed steps to navigate to the AWS Console and create the CloudFormation stack.
- Because you need to use the AWS Console to manually create your CloudFormation stack for CDW environment activation, in another browser tab, log into your AWS account before you begin. Make sure that the IAM entity logged in has all the permissions listed in "Standard required IAM permissions," which is linked to at the bottom of this page.
- You must also have the AWS CLI and the
kubectlCLI configured and available on your system to apply the kubeconfig that CDW provides in Step 10 below.
- In the CDW UI Overview page, expand the Environments column by clicking the More… menu.
- In the Environments column, click the search icon to locate the environment you want to activate, and click the activation icon.
If the system detects that you do not have the standard required IAM permissions on
your AWS account for automatic CloudFormation stack creation by CDW, it displays the
following message in the tile:
Step 1 of 2: Insufficient permissions! Visit AWS Console to Create Stack and come back. Creating a stack will take up to 15 minutes.
This message asks you to navigate to the AWS Console to manually create the CloudFormation stack.
- Click the link Visit AWS Console to Create Stack and the AWS Console opens on the page that is pre-populated with a template in another browser tab.
In the Create Stack page, click Next
to advance to the Specify stack details page.
- In the Specify stack details page, click Next to advance to the Configure stack options page where you can specify the required tags for your stack resources. See "Required tags for CloudFormation stacks," which is linked to at the bottom of this page for a list of required tags.
- After adding the required tags, do not set the remaining options on the page. Scroll down to the bottom of the page and click Next to advance to the Review <env-stack-name> page.
On the Review <env-stack-name>
page, scroll down to the bottom, click the I acknowledge that AWS
CloudFormation might create IAM resources check box, and then click
- After stack creation has completed, a message displays in the CDW UI environment tile. Click the Open Configurations link and a Configurations dialog box displays.
In the Configurations dialog box, perform the following
- Copy the Kubeconfig text to your system clipboard and save it into a text file on your system.
- Copy the Aws Auth text to your system clipboard and save
it into a text file on your system. The Aws Auth text provides the IAM
cross-account role that is registered in CDP to access the EKS cluster on AWS
after you perform the
kubectlcommand in the next step.
- In a terminal window, verify that the AWS CLI is configured to use the same IAM
entity that you used to create the CloudFormation stack in Step 8. Then, using the
kubectlCLI, run the following commands to apply configurations from the two text files that you created in Step 10b:
$> export KUBECONFIG=<path-to-the-Kubeconfig-text-file>
$> kubectl apply -f <path-to-the-Aws-Auth-text-file>
configmap/aws-authappears if the configuration was applied correctly.
If you deployed the CloudFormation stack with a federated user using the AWS console, you need to execute the commands mentioned in 10c (above) in the AWS CloudShell. You might need to manually install the kubectl command in the CloudShell.
- Back in the CDW UI Configurations dialog box, select Yes, Kubeconfig and AWS Auth configuration are applied checkbox, and then click Finish Activation.