Skip to content

Setup IAM permissions for users installing Snowplow

Yali Sassoon edited this page Aug 12, 2013 · 4 revisions
## Overview

Setting up permissions in IAM for the user(s) installing Snowplow is an 3 step process:

  1. [Create an IAM group (incl. creating a user and setting permissions)] (#create-group)
  2. [Enable users to log into AWS] (#enable-login)

Disclaimer: Snowplow Analytics Ltd will not be liable for any problems caused by the full or partial implementation of these instructions on your Amazon Web Services account. If in doubt, please consult an independent AWS security expert.

Warning: these permissions are still more permissive than they need to be. We will be putting in time to narrow them down further over the coming weeks.

## 1. Setup the IAM group

Initial group configuration

First click on the IAM icon on the AWS dashboard:

Now click on the Create a New Group of Users button:

Group Name

Enter a Group Name of snowplow-setup:

Permissions

Now choose the Custom Policy option and click Select:

Let's give it a Policy Name of snowplow-policy-setup-infrastructure:

Now we need to give permissions on:

  • Amazon S3: All Actions (*)
  • Amazon EMR: All Actions (*)
  • Amazon CloudFront: CreateDistribution
  • Amazon Elastic Beanstalk: All Actions (*)
  • Amazon Redshift: All Actions (*)

These permissions are set out in the following policy document. If you are not using the Clojure Collector, you can remove the Elastic Beanstalk section.

Now paste the following JSON into the Policy Document text area:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "s3:*"
      ],
      "Resource": [
        "*"
      ],
      "Effect": "Allow"
    },
    {
      "Action": [
        "elasticmapreduce:*"
      ],
      "Resource": [
        "*"
      ],
      "Effect": "Allow"
    },
    {
      "Action": [
        "cloudfront:CreateDistribution"
      ],
      "Resource": [
        "*"
      ],
      "Effect": "Allow"
    },
    {
      "Action": [
        "elasticbeanstalk:*"
      ],
      "Resource": [
        "*"
      ],
      "Effect": "Allow"
    },
    {
      "Action": [
        "redshift:*"
      ],
      "Resource": [
        "*"
      ],
      "Effect": "Allow"
    }
  ]
}

Now click Continue:

Users

From the Add Existing Users tab, switch to the Create New Users tab:

Now enter a first User Name - we use snowplow-setup:

Keep the option Generate an access key for each User checked, and then click Continue.

Review

Check that the configuration for your new IAM group looks something like this:

Click Continue and you should see the following:

Click Download Credentials to save these credentials locally. Then click Close Window.

Provide these credentials in a secure way - not via email - to whoever is setting up Snowplow for you, so that they can add them into the configuration of your EmrEtlRunner and StorageLoader applications.

Back to top.

## 2. Allow the IAM user to login

For much of the Snowplow setup process, the IAM user you have setup above will need access to the Amazon Web Services control panel.

From within the Users tab inside the IAM dashboard, click on your snowplow user:

Now switch to the Security Credentials tab in the bottom pane, and click Manage Password on the right:

Now choose Assign an auto-generated password:

Click Apply and you should see the following:

Click Download Credentials to save these credentials locally. Then click Close Window.

Now, provide the following details in a secure way - not via email - to whoever is setting up Snowplow for you:

Back to top.

Clone this wiki locally