[MCOL-462] Amazon ColumnStore AMI support of IAM role with certificates Created: 2016-12-12  Updated: 2023-10-26  Resolved: 2017-01-23

Status: Closed
Project: MariaDB ColumnStore
Component/s: ?
Affects Version/s: 1.0.6
Fix Version/s: 1.0.7

Type: New Feature Priority: Minor
Reporter: David Hill (Inactive) Assignee: David Hill (Inactive)
Resolution: Fixed Votes: 0
Labels: None
Environment:

AWS EC2 AMI environment

Sprint: 2016-24, 2016-25, 2017-01, 2017-2

 Description   

The current version of the AMI requires that a user have the acess/secret key certificates in files on the Instance them's. The Amazon IAM role is there to allow the user to define these types of certificates which would allow the runing process to access them without have to have them locally in a file on the system..

So the logic in postConfigure and the MCS cloud scripts need to change to allow the use of ENV variables, which is what would be passed from the AIM setup.

 Comments   
Comment by David Hill (Inactive) [ 2016-12-14 ]

change code to use the ENV variables instead of reading the access/secret keys from a file.
These can be passed from an IAM role that is provide when the instance is launched or setup in the instances themselves.

AWS_ACCESS_KEY environment variable
AWS_SECRET_KEY environment variable

Comment by David Hill (Inactive) [ 2016-12-23 ]

change to use the latest amazon APIs called aws ec2 cli commands. Previous ones being used was brought over from InfiniDB, but they were obsolete.

Comment by David Hill (Inactive) [ 2017-01-06 ]

great progress - I got a beta version of the AMI done which uses IAM certificates. Plan is to have the customer test it out to make sure it works for there IAM user/role setup and it meets their needs. And they can provide is feedback before making it public in 1.0.7..

Comment by David Hill (Inactive) [ 2017-01-09 ]

pull request done

Comment by David Hill (Inactive) [ 2017-01-16 ]

Positive test cases for multi-node installs:

1. use the IAM rol oe 'mcs' when launching, second page of new instance startup
2. dont provide any IAM role, but enter the access/secret keys in the .aws/certificate file, rename from certificate.template

Negitive test case

1. Don't provide a IAm role or certificate file and do a multi-node install and select 'y' to use the AWS CLI APIs. You should get an error

Comment by David Hill (Inactive) [ 2017-01-23 ]

Passed, can now launch AMI using IAM roles

Comment by Abhinav santi [ 2017-03-28 ]

Do we need to provide both IAM role and Access keys while installing multi server system? I faced this issue while installing Maria column store 1.7 using AMI in AWS US-EAST-1 region. Is this expected? If yes, can you please provide me the rationale.
Thank you in advance.

Comment by David Hill (Inactive) [ 2017-03-28 ]

Let me try to clarify.

The user has the option of either setting up IAM users and roles where the Access and Secret keys are automatically created and assigned. Then our code will read the keys from the meta-data at Process start on the instances.
Or the user create a set of Access and Secret keys and can add them to a local file in the AMI Instance. Then our code will read the keys from that file, if no keys are provided in the meta-data.

It is explained here in this Amazon AMI installation document:

https://mariadb.com/kb/en/mariadb/installing-and-configuring-a-columnstore-system-using-the-amazon-ami/

Also just an fyi - We have recently released a 1.0.8 version of the AMI.

https://mariadb.com/kb/en/mariadb/mariadb-columnstore-108-ga-release-notes/

Generated at Thu Feb 08 02:21:15 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.