Create Cross-Account IAM RolePrivate Preview
This page describes how to create and configure a cross-account role for Zilliz Cloud to bootstrap your project. This role gives Zilliz Cloud restricted permissions to manage VPC resources on your behalf.
Procedure
You can use the AWS console to create the bootstrap role. As an alternative, you can use the Terraform script Zilliz Cloud provides to bootstrap the infrastructure for your Zilliz Cloud project on AWS. For details, refer to Bootstrap Project Infrastructure (Terraform).
Step 1: Create a cross-account IAM role
In this step, you will create a cross-account IAM role for the communications between Zilliz Cloud and your VPC.
-
On the Zilliz Cloud console, copy External ID displayed in the setup guide.
-
Log into your AWS Console as a user with administrator privileges and go to the IAM dashboard.
-
Click the Roles tab in the left sidebar, and then click Create Role.
-
In Select trusted entity, click the AWS account tile.
-
In An AWS account, select the Another AWS account checkbox.
-
In Account ID, enter the Zilliz Cloud account ID
965570967084.This is not the external ID you copied from the Zilliz Cloud console.
-
Select the Require external ID checkbox.
-
In External ID, enter the one you have copied from the Zilliz Cloud console.
-
Click Next and skip adding permissions.
-
In the Name, review, and create step, name the role, review the trusted entities, and click Create role.
📘NotesWhen naming the role, use the prefix
zilliz-byoc. -
Once the role has been created, click View role in the green bar to go to the role details.
-
Click the copy icon in front of the role's ARN.
-
Go back to the Zilliz Cloud console, paste the role ARN in IAM Role ARN under EKS settings.
Step 2: Add permissions
This step is solely on the AWS console. In this step, you will create an inline policy for the role created above.
-
Go to the details page of the created role. In the Permissions policies section, click Add permissions, and choose Create inline policy.
-
On the Specify permissions page, click JSON in the Policy editor section to open the policy editor. Then copy the permissions from below and paste it into the policy editor, replacing
{bucketName}with the bucket you have created in Create S3 Bucket and Role.{
"Version" : "2012-10-17",
"Statement" : [
{
"Sid" : "CreateOpenIDConnectProvider",
"Effect" : "Allow",
"Action" : [
"iam:CreateOpenIDConnectProvider",
"iam:TagOpenIDConnectProvider"
],
"Resource" : [
"arn:aws:iam::*:oidc-provider/*"
],
"Condition" : {
"StringEquals" : {
"aws:RequestTag/Vendor" : "zilliz-byoc"
}
}
},
{
"Sid" : "DeleteOpenIDConnectProvider",
"Effect" : "Allow",
"Action" : [
"iam:GetOpenIDConnectProvider",
"iam:DeleteOpenIDConnectProvider"
],
"Resource" : [
"arn:aws:iam::*:oidc-provider/*"
]
},
{
"Sid" : "IAMReadEKSRole",
"Effect" : "Allow",
"Action" : [
"iam:GetRole",
"iam:ListAttachedRolePolicies"
],
"Resource" : [
"arn:aws:iam::*:role/zilliz-byoc*",
"arn:aws:iam::*:role/aws-service-role/eks-nodegroup.amazonaws.com/AWSServiceRoleForAmazonEKSNodegroup"
]
},
{
"Sid" : "IAMPassRoleToEKS",
"Effect" : "Allow",
"Action" : [
"iam:PassRole"
],
"Resource" : [
"arn:*:iam::*:role/zilliz-byoc*"
],
"Condition" : {
"StringEquals" : {
"iam:PassedToService" : "eks.amazonaws.com"
}
}
},
{
"Sid" : "IAMUpdateTrustPolicyForEKSRole",
"Effect" : "Allow",
"Action" : [
"iam:UpdateAssumeRolePolicy"
],
"Resource" : [
"arn:*:iam::*:role/zilliz-byoc*"
]
},
{
"Sid" : "EC2Create",
"Effect" : "Allow",
"Action" : [
"ec2:CreateLaunchTemplate",
"ec2:RunInstances"
],
"Resource" : [
"arn:aws:ec2:*:*:launch-template/*",
"arn:aws:ec2:*:*:volume/*",
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ec2:*:*:network-interface/*"
],
"Condition" : {
"StringEquals" : {
"aws:RequestTag/Vendor" : "zilliz-byoc"
}
}
},
{
"Sid" : "EC2Update",
"Effect" : "Allow",
"Action" : [
"ec2:DeleteLaunchTemplate",
"ec2:CreateLaunchTemplateVersion",
"ec2:RunInstances"
],
"Resource" : [
"arn:aws:ec2:*:*:launch-template/*",
"arn:aws:ec2:*:*:image/*",
"arn:aws:ec2:*:*:security-group/*",
"arn:aws:ec2:*:*:subnet/*"
],
"Condition" : {
"StringEquals" : {
"aws:ResourceTag/Vendor" : "zilliz-byoc"
}
}
},
{
"Sid" : "EC2RunInstanceOnImage",
"Effect" : "Allow",
"Action" : [
"ec2:RunInstances"
],
"Resource" : [
"arn:aws:ec2:*:*:image/*"
]
},
{
"Sid" : "EC2Tag",
"Effect" : "Allow",
"Action" : [
"ec2:CreateTags"
],
"Resource" : [
"arn:aws:ec2:*:*:launch-template/*",
"arn:aws:ec2:*:*:volume/*",
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ec2:*:*:image/*",
"arn:aws:ec2:*:*:network-interface/*",
"arn:aws:ec2:*:*:security-group/*",
"arn:aws:ec2:*:*:subnet/*"
],
"Condition" : {
"StringEquals" : {
"aws:ResourceTag/Vendor" : "zilliz-byoc"
}
}
},
{
"Sid" : "EC2TagWithRequestTag",
"Effect" : "Allow",
"Action" : [
"ec2:CreateTags"
],
"Resource" : [
"arn:aws:ec2:*:*:launch-template/*",
"arn:aws:ec2:*:*:volume/*",
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ec2:*:*:image/*",
"arn:aws:ec2:*:*:network-interface/*",
"arn:aws:ec2:*:*:security-group/*",
"arn:aws:ec2:*:*:subnet/*"
],
"Condition" : {
"StringEquals" : {
"aws:RequestTag/Vendor" : "zilliz-byoc"
}
}
},
{
"Sid" : "EC2Read",
"Effect" : "Allow",
"Action" : [
"ec2:DescribeAccountAttributes",
"ec2:DescribeInstanceTypes",
"ec2:DescribeLaunchTemplateVersions",
"ec2:DescribeLaunchTemplates",
"ec2:DescribeSubnets",
"ec2:DescribeVpcs"
],
"Resource" : [
"*"
]
},
{
"Sid" : "EKSCreate",
"Effect" : "Allow",
"Action" : [
"eks:CreateCluster",
"eks:CreateNodegroup",
"eks:CreateAddon",
"eks:CreateAccessEntry",
"eks:CreatePodIdentityAssociation"
],
"Resource" : [
"arn:aws:eks:*:*:cluster/zilliz-byoc-*",
"arn:aws:eks:*:*:addon/zilliz-byoc-*/*/*",
"arn:aws:eks:*:*:nodegroup/zilliz-byoc-*/zilliz*/*",
"arn:aws:eks:*:*:podidentityassociation/zilliz-byoc-*/*",
"arn:aws:eks::aws:access-entry/zilliz-byoc-*/*/*/*/*",
"arn:aws:eks::aws:access-policy/zilliz-byoc-*/*"
],
"Condition" : {
"StringEquals" : {
"aws:RequestTag/Vendor" : "zilliz-byoc"
}
}
},
{
"Sid" : "EKSUpdate",
"Effect" : "Allow",
"Action" : [
"eks:AssociateAccessPolicy",
"eks:UpdateAccessEntry",
"eks:UpdateAddon",
"eks:UpdateClusterConfig",
"eks:UpdateClusterVersion",
"eks:UpdateNodegroupConfig",
"eks:UpdateNodegroupVersion",
"eks:UpdatePodIdentityAssociation"
],
"Resource" : [
"arn:aws:eks:*:*:cluster/zilliz-byoc-*",
"arn:aws:eks:*:*:addon/zilliz-byoc-*/*/*",
"arn:aws:eks:*:*:nodegroup/zilliz-byoc-*/zilliz*/*",
"arn:aws:eks:*:*:podidentityassociation/zilliz-byoc-*/*",
"arn:aws:eks::aws:access-entry/zilliz-byoc-*/*/*/*/*",
"arn:aws:eks::aws:access-policy/zilliz-byoc-*/*"
],
"Condition" : {
"StringEquals" : {
"aws:ResourceTag/Vendor" : "zilliz-byoc"
}
}
},
{
"Sid" : "EKSTag",
"Effect" : "Allow",
"Action" : [
"eks:TagResource"
],
"Resource" : [
"arn:aws:eks:*:*:cluster/zilliz-byoc-*",
"arn:aws:eks:*:*:addon/zilliz-byoc-*/*/*",
"arn:aws:eks:*:*:nodegroup/zilliz-byoc-*/zilliz*/*",
"arn:aws:eks:*:*:podidentityassociation/zilliz-byoc-*/*",
"arn:aws:eks::aws:access-entry/zilliz-byoc-*/*/*/*/*"
]
},
{
"Sid" : "EKSRead",
"Effect" : "Allow",
"Action" : [
"eks:DescribeCluster",
"eks:DescribeNodegroup",
"eks:DescribeAccessEntry",
"eks:DescribeAddon",
"eks:DescribeAddonConfiguration",
"eks:DescribeAddonVersions",
"eks:DescribePodIdentityAssociation",
"eks:DescribeUpdate",
"eks:ListAccessEntries",
"eks:ListAccessPolicies",
"eks:ListAddons",
"eks:ListNodegroups",
"eks:ListUpdates",
"eks:ListPodIdentityAssociations",
"eks:ListTagsForResource"
],
"Resource" : [
"arn:aws:eks:*:*:cluster/zilliz-byoc-*",
"arn:aws:eks:*:*:addon/zilliz-byoc-*/*/*",
"arn:aws:eks:*:*:nodegroup/zilliz-byoc-*/zilliz*/*",
"arn:aws:eks:*:*:podidentityassociation/zilliz-byoc-*/*",
"arn:aws:eks::aws:access-entry/zilliz-byoc-*/*/*/*/*",
"arn:aws:eks::aws:access-policy/zilliz-byoc-*/*"
]
},
{
"Sid" : "EkSDelete",
"Effect" : "Allow",
"Resource" : [
"arn:aws:eks:*:*:cluster/zilliz-byoc-*",
"arn:aws:eks:*:*:addon/zilliz-byoc-*/*/*",
"arn:aws:eks:*:*:nodegroup/zilliz-byoc-*/zilliz*/*",
"arn:aws:eks:*:*:podidentityassociation/zilliz-byoc-*/*",
"arn:aws:eks::aws:access-entry/zilliz-byoc-*/*/*/*/*",
"arn:aws:eks::aws:access-policy/zilliz-byoc-*/*"
],
"Action" : [
"eks:DeleteAccessEntry",
"eks:DeleteAddon",
"eks:DeleteCluster",
"eks:DeleteFargateProfile",
"eks:DeleteNodegroup",
"eks:DeletePodIdentityAssociation"
]
},
{
"Sid" : "S3CheckBucketLocation",
"Effect" : "Allow",
"Action" : [
"s3:GetBucketLocation"
],
"Resource" : "arn:aws:s3:::{bucketName}"
}
]
}
-
In Review and create, enter a policy name, review the permissions, and click Create policy.
📘NotesWhen naming the policy, use the prefix
zilliz-byoc.