Skip to content

InstallAWSRoles

Jump to bottom
thalli000 edited this page Apr 23, 2020 · 1 revision

AWS Roles and Permissions

Template Location

./deploy/endpoint/aws/AWS-Roles-CloudFormation.json

Roles

The CloudFormation template used to deploy the endpoints requires the creation of a number of roles so the component access is limited. The above template is specific to the creation of those roles.

Installation

  1. Deploy the AWS-Roles-CloudFormation stack via AWS Cloudformation
  2. Access the roles via AWS IAM
  3. Copy the ARNs out for the Roles created by the stack. The ARNs are used to deploy the rest of the components.

Role Specifications

Roles

Role Policies
POP.UnifiedEndpoint.app AWSLambdaVPCAccessExecutionRole
CustomerManaged-POP.SQSEditor
CustomerManaged-POP.DynamoDBEditor
POP.Scheduler.app AWSLambdaVPCAccessExecutionRole
CustomerManaged-POP.SQSEditor
CustomerManaged-POP.DynamoDBEditor
CustomerManaged-POP.LambdaLauncher
POP.Callback.trigger AWSLambdaVPCAccessExecutionRole
CustomerManaged-POP.DynamoDBEditor
POP.Reclaimer.app AWSLambdaVPCAccessExecutionRole
CustomerManaged-POP.DynamoDBEditor
POP.Reaper.app AWSLambdaVPCAccessExecutionRole
CustomerManaged-POP.DynamoDBEditor
POP.authorizer AWSLambdaVPCAccessExecutionRole

Trust Relationship

In order for a role to be able to be used by a Lambda you must add the following to the Trust Relationship on the role.

    {
      "Effect": "Allow",
      "Principal": {
        "Service": "lambda.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }

Policies

⚠️ The roles below are prefixed with "CustomerManaged-" before the name. This may not apply to you and you can name the role accordingly.

CustomerManaged-POP.SQSEditor

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "sqs:ChangeMessage*",
                "sqs:GetQueue*",
                "sqs:*Message",
                "sqs:*MessageBatch"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

CustomerManaged-POP.DynamoDBEditor

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "dynamodb:*Table",
                "dynamodb:*Item",
                "dynamodb:Get*",
                "dynamodb:Query",
                "dynamodb:Scan",
                "dynamodb:DescribeStream",
                "dynamodb:Put*",
                "dynamodb:List*"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

CustomerManaged-POP.LambdaLauncher

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "lambda:InvokeFunction",
            "Resource": "*"
        }
    ]
}

Priority Operation Processing

  1. Submission
  2. Scheduling
  3. Execution
    the ResourcePool

Data Object API

Agenda
the workflow
Agenda Template
the workflow definition
Customer
Insight
the scheduling queue definition
Operation Progress
the state of the running Agenda operations
Progress
the state of the running Agendas
ResourcePool
the processing resources

Service Agenda

Agenda Service
the workflow submission
Progress Service
rolled up agenda progress summary
ResourcePool Service
getting work and updating progress

Timed Processes

AgendaReclaimer
restarting stuck Agendas
AgendaRetry
retrying failed Agendas
DataObjectReaper
reaping expired data objects
PodReaper
reaping stuck Kubernetes pods

Installation

Install

Development

DevKubernetesSetup
RunLocalExecution
- RunWithMiniKube

Demo / Examples

SampleAuthorizer
SampleHandler

Product Comparison

Netflix Conductor

Clone this wiki locally