This page will walk you through the details of creating your Ahana Compute Plane in your AWS account. It’s easy to get going. Let’s start with granting Ahana cross-account access via a new AWS IAM role using the Ahana account ID and custom external ID.
The Ahana Compute Plane requires several AWS services. To provision resources like Amazon Elastic Kubernetes Service, S3 and others, the role that Ahana Cloud assumes needs to be have a policy with permissions that allow Ahana to orchestrate and deploy the needed resources in your account.
You need to choose a method for setting up the necessary AWS role. CloudFormation is recommended.
- Click the Open CloudFormation button
- Login to the AWS console.
- On the CloudFormation page, tick the checkbox and click Create Stack
- After a couple of minutes, the IAM Role with the necessary permissions will be created.
To create a new IAM Role and Policy manually, visit the Appendix section Create a new IAM Policy manually
- Go to the Outputs section of the CloudFormation Stack and copy the Value ARN.
- Paste the ARN value into the Ahana SaaS Console Role ARN Text field.
Select a region where you want the Ahana Compute plane to be deployed.
It is recommended that you select a region where your data sources are located so that the compute and storage are co-located.
You will be required to pick between 2 and 3 availability zones. This is because the compute plane uses Amazon EKS (Kubernetes) and EKS by default is created across AZ's for high availability.
Enter a Tenant name that will be used for endpoints of various clusters.
Once the compute plane is created the tenant name cannot be changed. Please be thoughtful of the tenant name entered.
Now you are ready to create the Ahana Compute Plane. Go ahead and click on the "Complete Setup" button. It will ask you to confirm the setup.
It takes anywhere between 20 and 40 minutes to create the compute plane, depending on the region. Once completed, you will receive an email notification about the successful provisioning. Refreshing the Ahana Console will allow take you to the Ahana Home Console.
Create a new AWS IAM policy using the Ahana AWS Policy provided.
Go to the JSON Editor tab as shown below.
Next, delete the existing JSON and paste the Ahana Policy you have copied into the JSON editor. Click on Review
Next, give the policy a name and description as shown below.
Next, review the policy and create it as shown below.
For your reference, here is the JSON policy used.
The Ahana AWS IAM policy required is completely tagged so that the control plane only delete resources that are tagged with
ahana. Remember: the longer the policy with more conditions and limitations, the stronger the policy!
To create cross account access, you will need to first copy the Ahana SaaS Console Account ID.
Start to create a new AWS IAM Role. Select the "Another AWS account" box as shown below.
Paste the Ahana account ID into the "Account ID" text box.
Select the "Require external ID" checkbox. This is an AWS Best practice that Ahana uses. Next, go back to the Ahana SaaS Console and copy the "External ID" from the Ahana SaaS Console and paste it into the "External ID" textbox. Then go to the next step by clicking the "Next: Permissions" button.
Attach the newly created policy. In our example, we name the policy "Ahana-Cloud-Policy" and we'll attach that as seen below. Then click on the "Next: Tags" button.
You can skip the "Add tags" step. Click on the "Next: Review" button to move forward.
Next, give the new role a name and description and click the "Create Role" button.