Was this page helpful?
Available with the Professional plan and above
This document instructs you on how to use the ScyllaDB Cloud Bring Your Own Account (BYOA) wizard to set-up a ScyllaDB Cloud managed cluster on your AWS account. ScyllaDB Cloud BYOA enables ScyllaDB Cloud customers to have cloud resources allocated by their own AWS accounts (as opposed to allocating it in a ScyllaDB account). The wizard requires you to interact with and collect information from your AWS account and to paste information from the AWS screens into the ScyllaDB Cloud wizard.
By the end of this procedure, you will be able to use ScyllaDB Cloud to create ScyllaDB clusters using the resources from your AWS account.
You can choose to have a dedicated AWS sub-account for ScyllaDB Cloud by using AWS Organizations and following the procedure using this dedicated account. If you choose not to use an AWS Organization and a dedicated account, you can follow this procedure in your main AWS account.
Caution
Deploying ScyllaDB Cloud Bring Your Own Account grants access to your database resources. We strongly recommend not to change/remove any of the resources that you create for the ScyllaDB Cloud role, or in its policies, to make sure that the database services are all properly set and functioning according to your company security policy.
Note
By default, the BYOA solution allows you to connect one AWS account with your ScyllaDB Cloud account.
If you need to connect multiple AWS accounts, please contact ScyllaDB Cloud support.
Before you begin:
Confirm you have filled in the registration page and signed up for ScyllaDB Cloud service.
Confirm that your AWS account has the correct account limits (Instances, VPCs, Elastic IPs, Cloudformation Stacks, etc). See AWS Account Limits and AWS Credentials below.
Add AWS Account Details Add your AWS account details and start cluster creation process.
Define a Boundary Policy for ScyllaDB Cloud on your AWS account
Create a ScyllaDB Cloud policy for your AWS account
Create a ScyllaDB Cloud Role and give it specific privileges
Create the cluster and set it to run ScyllaDB Cloud from your AWS account
Go to My Clusters and choose Create a New Cluster. Alternatively, you can go to New Cluster and choose Dedicated VM.
Choose Your AWS Account to specify under which account ScyllaDB should run.
If BYOA is already defined, you can continue to choose your ScyllaDB version and instance type.
If BYOA is not defined, a wizard will guide you through setting up BYOA. You’ll need to provide your AWS Account ID to proceed.
Define a policy to limit ScyllaDB Cloud permissions in your AWS account.
Use this policy file to define a new policy named ScyllaCloudBoundary
.
This policy will restrict ScyllaDB Cloud’s permissions on your AWS account and will be used in further steps.
From the AWS console, navigate to IAM Services > Policies and click Create Policy.
Click the JSON tab.
From the ScyllaDB Cloud wizard, copy the json file by clicking the copy button.
Paste the contents into the AWS json editor. From the AWS editor, click next.
Click Review Policy.
Navigate to the Policies main window, search for the ScyllaCloudBoundary
policy and click on it to open the policy details.
Copy the Policy ARN (output should be similar to the following example: arn:aws:iam::123456789012:policy/ScyllaCloudBoundary
).
In the ScyllaDB Cloud wizard Boundary Policy ARN field, paste the Policy ARN you copied in the previous step.
Confirm the details are correct in the Summary screen. Your screen should be similar to:
Click Next: Create Cloud Policy.
Create a new policy ScyllaCloud to manage ScyllaDB Cloud role and resources
From the AWS console, navigate to IAM Services > Policies and click Create Policy
Click the JSON tab.
From the ScyllaDB Cloud wizard, copy the json file by clicking the copy button.
Paste the contents into the AWS json editor. From the AWS editor, click next.
Click Review Policy.
Where indicated name the policy ScyllaCloud
(no other name can be used).
Click Create Policy.
Navigate to the Policies main window, search for the ScyllaCloud
policy and click on it to open the policy details.
Copy the Policy ARN (output should be similar to the following example: arn:aws:iam::734708892259:policy/ScyllaCloud
).
In the ScyllaDB Cloud wizard Cloud Policy ARN field, paste the Policy ARN you copied in the previous step.
Confirm the details are correct in the Summary screen. Your screen should be similar to:
Click Next: Create Role.
From the AWS console, navigate to IAM > Roles and click on Create Role.
When asked for a type of trusted entity, select Another AWS account and enter the ScyllaDB Production Account ID - from the ScyllaDB Cloud Wizard.
Check Require external ID and fill in the following:
From the ScyllaDB Cloud Wizard, copy the External ID by clicking the copy button and paste it into the AWS External ID field.
This string should be treated as a password and kept secure
Save the string as you will need to use it later
Note
Require MFA should NOT be checked
From the AWS Create Role Screen, click Next: Permissions.
Search for the policy ScyllaCloud and check it.
Click Next: Add Tags and any other tags you want or you can just skip this step.
Click Next: Review and fill in the following fields:
In Role Name Enter ScyllaCloud
Role Description is optional. Enter any description that makes sense to you, as this is only for your usage.
Click Create Role. Make sure the ScyllaCloud role is listed in the new role ARN list.
Navigate to the Roles main window, search for the ScyllaCloud role and click on it to open the policy details.
Copy the Role ARN (example: arn:aws:iam::734708892259:role/ScyllaCloud).
In the ScyllaDB Cloud wizard Cloud Role ARN field, paste the Role ARN you copied in the previous step.
Click Next: Complete the Cloud Account Setup.
Confirm the details are correct in the Summary screen. Your screen should be similar to:
Confirm you receive a success message or else you can restart the ScyllaDB Cloud Wizard.
Click Next: Complete the Cloud Account Setup.
Confirm that the Your AWS Account option is selected on the Create Cluster page and launch the new cluster. The cluster will run on your AWS account.
Validate from your AWS console that the instances are listed. Search for the tag ScyllaDB Cloud
to identify managed ScyllaDB Cloud instances.
Congratulations! You are done! You can now proceed to run a ScyllaDB Cluster on your own Account. When the cluster is up and running, you will be able to see the running cluster from your EC2 console. Search for the tag ScyllaDB Cloud to identify managed ScyllaDB Cloud instances including ScyllaDB nodes, ScyllaDB Monitor, and ScyllaDB Manager.
Note
The sections that follow are for reference purposes only. There is no need to execute them once the setup is complete.
To ensure that you don’t exceed your AWS account quota, we suggest setting a specific quota for the resources that ScyllaDB Cloud will use. These quotas should be adjusted for each region where you intend to operate. Please note that the recommended limits should be considered in addition to your current resource allocation.
Use AWS Service Quotas to increase the following resources limits:
Service Name |
Additional Requested Value |
Quota Name |
---|---|---|
Amazon Virtual Private Cloud (Amazon VPC) |
50 |
VPCs per region |
Amazon Virtual Private Cloud (Amazon VPC) |
96 |
Inbound or outbound rules per security group |
Amazon Elastic Compute Cloud (Amazon EC2) |
20 |
EC2-VPC Elastic IPs |
Amazon Elastic Compute Cloud (Amazon EC2) |
1000 (see note) |
Running On-Demand Standard (A, C, D, H, I, M, R, T, Z) instances |
Amazon Simple Storage Service (Amazon S3) |
50 |
Buckets |
AWS CloudFormation |
100 |
Stack count |
Note
You can use this helper script
to
quickly list relevant quotas for your account.
Note
1000 doesn’t represent the limit for the number of instances, but the limit for vCPUs. Any launched instance of any of the listed instance types (A, C, D, H, I, M, R, T, Z) contributes its vCPU count towards this quota. See more in this AWS blog.
ScyllaDB Cloud requires the following credentials to manage its service while being deployed on your AWS account.
Purpose |
Action |
---|---|
ScyllaDB cloud will use this to restrict itself for only creating a new policy with access to its S3 backup and with no access to any other policy |
|
Create/Expand clusters |
|
Delete clusters |
|
Create a backup bucket on S3 |
|
Grant each ScyllaDB instance access to its S3 backup bucket |
|
Validate that security policy is complete and up-to-date |
|
Operation activities |
|
Was this page helpful?