Skip to content

Updated VPC Docs Page #1645

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 3 commits into from
Oct 22, 2024
Merged

Updated VPC Docs Page #1645

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
3c0d946
Updated VPC Page
SilasMarvin Oct 16, 2024
c889c7a
Wording
SilasMarvin Oct 16, 2024
4c7ed78
Update required permissions
SilasMarvin Oct 17, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
89 changes: 89 additions & 0 deletions pgml-cms/docs/cloud/enterprise/vpc.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,3 +7,92 @@ PostgresML can be launched in your Virtual Private Cloud (VPC) account on AWS, A
The PostgresML control plane provides a complete management solution to control the resources in your cloud account:
- Responsible for PostgresML instance launches, backups, monitoring and failover operations. This requires permission to create and destroy AWS EC2, EBS and AMI resources inside the designated VPC.
- Does not read/write any data inside PostgresML databases other than status metadata inside system tables or the pgml schema necessary to perform the previously mentioned operations.

## Creating an AWS role for VPC

To launch a VPC in AWS you must have a user with the correct permissions.

1. Sign in to the AWS Management Console and open the IAM console.
2. In the navigation pane, choose "Roles" and then "Create role".
3. Select "AWS account" as the trusted entity type, and choose "This account".
4. Click "Next" to proceed to permissions.
5. Click "Create policy" and switch to the JSON tab.
6. Paste the following policy document:
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:RunInstances",
"ec2:TerminateInstances",
"ec2:StopInstances",
"ec2:StartInstances",
"ec2:RebootInstances",
"ec2:ModifyInstanceAttribute",
"ec2:DescribeSecurityGroups",
"ec2:CreateSecurityGroup",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:DescribeInstances",
"ec2:DescribeVolumes",
"ec2:CreateTags",
"ec2:DescribeKeyPairs",
"ec2:DescribeRouteTables",
"ec2:DescribeRegions",
"ec2:DescribeVpcs",
"ec2:DescribeSubnets",
"ec2:CreateVolume",
"ec2:DeleteVolume",
"ec2:AttachVolume",
"ec2:DetachVolume",
"ec2:ModifyVolume",
"imagebuilder:CreateImage",
"imagebuilder:CreateImagePipeline",
"iam:SimulatePrincipalPolicy",
"iam:PassRole",
"iam:GetRole",
"iam:ListRoles",
"iam:CreateRole",
"iam:CreateInstanceProfile",
"iam:CreatePolicy",
"iam:GetInstanceProfile",
"iam:ListAttachedRolePolicies",
"iam:AttachRolePolicy",
"iam:AddRoleToInstanceProfile",
"s3:CreateBucket",
"s3:DeleteBucket",
"s3:PutBucketPolicy",
"s3:ListBucket",
"s3:GetBucketPolicy",
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject",
"s3:ListBucketMultipartUploads",
"s3:ListMultipartUploadParts",
"s3:AbortMultipartUpload",
"s3:GetBucketLocation",
"s3:GetBucketTagging",
"s3:PutBucketTagging",
"kms:DescribeKey",
"kms:CreateGrant",
"kms:Decrypt",
"kms:ReEncryptFrom",
"kms:ReEncryptTo",
"kms:GenerateDataKey",
"kms:GenerateDataKeyPair",
"kms:GenerateDataKeyPairWithoutPlaintext",
"kms:GenerateDataKeyWithoutPlaintext"
],
"Resource": "*"
}
]
}
```
7. Review and create the policy, giving it a descriptive name like "PGMLVPCSetupPolicy".
8. Back in the role creation process, attach this newly created policy to the role.
9. Name the role (e.g., "PGMLVPCSetupRole") and create it.
10. Go to the IAM Users section, select your user, and attach the created role.
11. Generate new access keys for this user if you haven't already.