This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Head's Up! These forums are read-only. All users and content have migrated. Please join us at community.neo4j.com.

Configuring AWS EC2 Marketplace AMIs credentials

danodonovan
Node Link

‎09-12-2018 03:05 AM

I've read @david.allen's helpful post RE Cloud VM configuration (and other blog entries) but I'm having difficulty getting configuration changes to stick in AWS.

It seems that the Tags on the instance aren't being picked up by pre-neo4j.sh as when that script calls $ aws ec2 describe-tags ... it doesn't find any AWS credentials (as it shouldn't - I've not provided any!).

I suspect that the best way to provide the credentials is to assign a role to the EC2 instance, but I've not read this in any of the docs. Is that correct, or is there another way that I've missed?

Thanks!

Labels:
Reply
3 REPLIES 3

david_allen
Neo4j
Neo4j

‎09-12-2018 04:07 AM

Can you clarify -- are you launching the VM individually, or is this as part of a CloudFormation template or cluster? I'm guessing you're launching the AMI individually.

Yes it's necessary for the VM to have the permission to read its own tags. This may be an edge case where we can improve the documentation on that page describing the differences of VMs. Normally, when the VM is deployed as part of the cloudformation templates and marketplace entries we provide, this permissioning is done for you so you'd never notice. If you deploy the AMI by itself, then it's not auto-granted.

So, two options:

  1. Inside of the VM, you can authorize the AWS client with whatever service key you want, restart the service, and it should work.
  2. In your launch process for the VM, you can apply an IAM role that gives the VM appropriate permissions. I think it gets a service account by default, just with very little permissions.

In CloudFormation language, the role you'd need to grant looks like this. The ec2:Describe one is really what does it.

When launching the image, on "Step 3: Configure Instance Details" there's a skinny little "IAM Role" box where you can configure the equivalent of the below, prior to launch.

        "ReadOwnTags": {
            "Type": "AWS::IAM::Role",
            "Properties": {
                "RoleName": {{ "work-with-tags" | appendStack }},
                "AssumeRolePolicyDocument": { 
                    "Version": "2012-10-17",
                    "Statement": [
                        {
                            "Effect": "Allow",
                            "Principal": {
                                "Service": "ec2.amazonaws.com"
                            },
                            "Action": "sts:AssumeRole"
                        }
                    ]
                },
                "Policies": [
                    {
                        "PolicyName": "root",
                        {# Adapted/customized from arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess #}
                        "PolicyDocument": {
                            "Version": "2012-10-17",
                            "Statement": [
                                {  
                                    "Effect": "Allow",
                                    "Action": "ec2:CreateTags",
                                    "Resource": "*"
                                },
                                {
                                    "Effect": "Allow",
                                    "Action": "ec2:Describe*",
                                    "Resource": "*"
                                }
                            ]                            
                        }
                    }
                ]
            }
Reply

danodonovan
Node Link

‎09-12-2018 08:28 AM

Thanks David - I was rolling my own Cloudformation template!

Could you post a link to the cloudformation templates that Neo4j provide? I had been looking the code in github: neo4j-contrib/ec2neo (this web UI won't let me post that link) but I found it too out-dated for my needs.

Your IAM Role is very similar to the one I've been writing - I'll give it a whirl, thanks!

0 Kudos
Reply

david_allen
Neo4j
Neo4j
In response to danodonovan

‎09-12-2018 08:47 AM

Dan -- on the CloudFormation templates, I'll follow up with you privately by email. I have them and I'm glad to provide them, but they're not something we publicly publish just yet.

0 Kudos
Reply
Nodes 2022
Nodes
NODES 2022, Neo4j Online Education Summit

All the sessions of the conference are now available online

Watch replays