IAM Roles

To securely control access to AWS resources, Amazon uses AWS Identity and Access Management (IAM).

The following diagram illustrates how IAM roles control access to your HDCLoud AWS resources:

IAM roles are created automatically upon launching the cloud controller and creating a cluster. The main principle behind designing these roles was to enhance security by providing a minimal set of actions (or capabilities) required for each role.

Role Related Component When Created
CloudbreakRole cloud controller Always on launch
CredentialRole cloud controller Always on launch
LambdaExecutionRole cloud controller Sometimes on launch
S3AccessRole cluster Sometimes on cluster create

CloudbreakRole

Naming Convention: {CFNStackName}-CloudbreakRole-{uniqueID}
Example: HortonworksCloudController-CloudbreakRole-1AOYYQS2VQHRK

The CloudbreakRole, associated with the EC2 instance of the cloud controller, is used by the cloud controller to access resources when creating clusters.

An instance profile (which is a a container for an IAM role that you can use to pass role information to an EC2 instance when the instance starts) is created for the role and then passed to the cloud controller UI to enable advanced features (such as autocomplete) available in the web UI. This allows the EC2 instance to call AWS services on your behalf.

The policy for this role is declared in:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "sts:AssumeRole"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "ec2:DescribeKeyPairs",
                "ec2:DescribeInternetGateways",
                "ec2:DescribeVpcs",
                "ec2:DescribeSubnets",
                "cloudformation:DescribeStackResource",
                "iam:ListRoles"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

CredentialRole

Naming Convention: {CFNStackName}-CredentialRole-{uniqueID}
Example: HortonworksCloudController-CredentialRole-1PPBMNXK0F93O

This is an AWS cross-account access role that provides the capabilities required for cluster creation. This role also grants permission for creating additional roles (S3AccessRole and LambdaExecutionRole).

The policy for this role is declared in:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Condition": {
                "ArnEquals": {
                    "ec2:ResourceTag/CloudbreakId": "arn:aws:cloudformation:us-east-1:139900846764:stack/HortonworksCloudController150/eddf3150-7ab7-11e6-8548-50d5ca6e601e"
                }
            },
            "Action": [
                "ec2:DeleteRoute",
                "ec2:DeleteRouteTable",
                "ec2:DeleteSecurityGroup",
                "ec2:StartInstances",
                "ec2:StopInstances",
                "ec2:TerminateInstances"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "autoscaling:CreateAutoScalingGroup",
                "autoscaling:CreateLaunchConfiguration",
                "autoscaling:DeleteAutoScalingGroup",
                "autoscaling:DeleteLaunchConfiguration",
                "autoscaling:DescribeAutoScalingGroups",
                "autoscaling:DescribeLaunchConfigurations",
                "autoscaling:DescribeScalingActivities",
                "autoscaling:DetachInstances",
                "autoscaling:ResumeProcesses",
                "autoscaling:SuspendProcesses",
                "autoscaling:UpdateAutoScalingGroup",
                "cloudformation:CreateStack",
                "cloudformation:DeleteStack",
                "cloudformation:DescribeStackEvents",
                "cloudformation:DescribeStackResource",
                "cloudformation:DescribeStacks",
                "iam:ListRolePolicies",
                "iam:GetRolePolicy",
                "iam:CreateInstanceProfile",
                "iam:AddRoleToInstanceProfile",
                "iam:ListAttachedRolePolicies",
                "iam:PutRolePolicy",
                "iam:PassRole",
                "iam:CreateRole",
                "iam:DeleteRolePolicy",
                "iam:DeleteRole",
                "iam:RemoveRoleFromInstanceProfile",
                "iam:DeleteInstanceProfile",
                "ec2:AllocateAddress",
                "ec2:AssociateAddress",
                "ec2:AssociateRouteTable",
                "ec2:AuthorizeSecurityGroupIngress",
                "ec2:CreateRoute",
                "ec2:CreateRouteTable",
                "ec2:CreateSecurityGroup",
                "ec2:CreateSubnet",
                "ec2:CreateTags",
                "ec2:DeleteSubnet",
                "ec2:DisassociateAddress",
                "ec2:DisassociateRouteTable",
                "ec2:ModifySubnetAttribute",
                "ec2:ReleaseAddress",
                "ec2:DescribeAddresses",
                "ec2:DescribeImages",
                "ec2:DescribeInstanceStatus",
                "ec2:DescribeInstances",
                "ec2:DescribeInternetGateways",
                "ec2:DescribeKeyPairs",
                "ec2:DescribeRouteTables",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeSubnets",
                "ec2:DescribeVpcs",
                "ec2:DescribeVpcAttribute"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

LambdaExecutionRole

Naming Convention: {CFNStackName}-LambdaExecutionRole-{uniqueID}
Example: HortonworksCloudController-LambdaExecutionRole-1PPBMNXK0F93O

If during deployment you choose to launch the cloud controller instance inside an existing VPC, then the LambdaExecutionRole role will be created automatically. This role is used to enable advanced validation for the VPC and subnet, which is done by implementing and running a Lambda function in a custom AWS resource. If this validation fails, then the custom resource creation and the overall stack creation process will be marked as CREATE_FAILED.

The policy for this role is declared in:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "logs:CreateLogGroup",
                "logs:CreateLogStream",
                "logs:PutLogEvents"
            ],
            "Resource": "arn:aws:logs:*:*:*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "cloudformation:DescribeStacks"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "ec2:DescribeInternetGateways",
                "ec2:DescribeSubnets"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

S3AccessRole

Naming Convention: {ClusterName}-S3AccessRole-{uniqueID}
Example: myhdcluster-2-S3AccessRole-1MMS659BUGDVG

During cluster creation, you have an option under SECURITY > Instance Role to create this new AWS role to grant S3 access, or to select an existing role to provide S3 access, or not use any S3 role at all if you are not planning to use S3. If you choose the first option, the S3AccessRole will be created for you.

The policy for this role is declared in:

{
    "Statement": [
        {
            "Action": "s3:*",
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

Learn More

Refer to the AWS Identity and Access Management and What is IAM? for more information about AWS IAM.