Prerequisites
Before you start the automated installation for Kyvos on AWS, ensure you have the following information.
Important
Download the AWS Installation Files folder and keep all the requisite files handy during installation and deployment.
The load balancer will be added by default when creating resources in automated deployment.
Before starting the deployment for AWS, you must have the following.
If you are using the CloudFormation template for IAM roles and VPC, you should have the administrative privileges to create IAM roles and VPC.
AWS CloudFormation template. Contact Kyvos support to get your custom template. Alternatively, you can download the Kyvos_AWS_Default_Template_K8S2024.3.json file from the AWS Installation Files folder or create a template as per your requirements.
The CloudFormation template can be deployed through the logged-in user or a role. The logged-in user must have the required policies given in the aws-console-user-iam-policy.json file.
EC2 key pair, consisting of a private key and a public key. You can create the key pair if needed.
Networking requirements:
Use the Network CloudFormation template to create network resources (VPC, Subnet, and Security Group) automatically.
If you want to deploy your network with NAT Gateway, use the NATGateway Template (vpc_nat.json file) .
ORIf you want to use existing network resources, perform the following steps in your VPC.
Refer to Amazon documentation for VPC and Subnet requirement for EKS cluster.
Ensure that at least 8 IP addresses are available in the public subnets, each located in a different Availability Zone within the VPC where your EKS cluster is created. This is required by the load balancer, which is created by the EKS cluster's load balancer.
You must create VPC Endpoints within your VPC, to connect with the AWS services. Else, you must have the internet and NAT Gateway in the subnet.
List of VPC Endpoints for AWS services required by Kyvos:
AWS Service Name
Description/Purpose
VPC Endpoint Name
CloudWatch logs
Used to send bootstrap logs of the EC2 machines to CloudWatch Logs.
com.amazonaws.{AWS-REGION}.logs
Glue
Used to connect to Glue from the Kyvos BI Server and fetch metadata of the tables stored.
com.amazonaws.{AWS-REGION}.glue
Cloudformation
Used by Kyvos Manager at the time of deployment to validate and get details from the AWS stack in Cloudformation.
com.amazonaws.{AWS-REGION}.cloudformation
CloudWatch Event
Used to schedule events on CloudWatch Event for scheduled starting of the Kyvos BI Server.
com.amazonaws.{AWS-REGION}.events
S3
Used to connect to an S3 bucket for reading raw data and writing metadata.
com.amazonaws.{AWS-REGION}.s3
RDS
Used for scheduled start/stop of the Kyvos cluster along with RDS.
com.amazonaws.{AWS-REGION}.rds
EC2
Used by Kyvos Manager to describe EC2 and Kyvos BI Server for scheduled start/stop of Query Engines.
com.amazonaws.{AWS-REGION}.ec2
Secrets Manager
Used by the Kyvos BI Server to get the passwords stored in AWS Secrets Manager.
com.amazonaws.${AWS-REGION}.secretsmanager
In the table above, change the {AWS-REGION} according to the region in which you are deploying Kyvos.
AWS does not provide a VPC endpoint for the Cost explorer service, so the Kyvos Resource Usage feature will not work without internet access.
Permission requirements:
You can create IAM roles using the CloudFormation template (automated_deployment_iam_role.json file).
ORCreate IAM Role for:
Refer to the section/wiki/spaces/KD20233/pages/18448740to create new roles.EC2 that will be attached to all Kyvos instances. This role contains all the permissions required by Kyvos Services and Kyvos Manager.
Details for permissions required for EC2.Lambda that will be attached to the Kyvos created Lambda functions. This role contains all the permissions required by lambda functions to run.
S3 Bucket permissions
If you want to use an existing S3 bucket and IAM role, or if you want to read data from an S3 bucket other than where Kyvos is deployed, then the IAM role must have the following permissions on the S3 bucket.
Here, replace:
<Bucket Name> with the name of your bucket name.
<Lambda Role> with the name of your Lambda Role.
<EC2 Role> with the name of your EC2 Role.
<AWS Account ID> With your AWS account ID.
<kyvosEksOidcrole> With the OIDC role name that will be attached to the add-on of EKS cluster.
<NodeGroupRole> With the role name that will be attached to your EKS cluster’s node group.{ "Version": "2008-10-17", "Statement": [ { "Sid": "Ec2LambdaRoleBucketPolicy", "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::<AWS Accout ID>:role/EC2-Role", "arn:aws:iam::<AWS Accout ID>:role/kyvosEksOidcrole", "arn:aws:iam::<AWS Accout ID>:role/NodeGroupRole" "arn:aws:iam::<AWS Accout ID>:role/<Lambda Role>", ] }, "Action": [ "s3:PutAnalyticsConfiguration", "s3:GetObjectVersionTagging", "s3:ReplicateObject", "s3:GetObjectAcl", "s3:GetBucketObjectLockConfiguration", "s3:DeleteBucketWebsite", "s3:PutLifecycleConfiguration", "s3:GetObjectVersionAcl", "s3:DeleteObject", "s3:GetBucketPolicyStatus", "s3:GetObjectRetention", "s3:GetBucketWebsite", "s3:PutReplicationConfiguration", "s3:PutObjectLegalHold", "s3:GetObjectLegalHold", "s3:GetBucketNotification", "s3:PutBucketCORS", "s3:GetReplicationConfiguration", "s3:ListMultipartUploadParts", "s3:PutObject", "s3:GetObject", "s3:PutBucketNotification", "s3:PutBucketLogging", "s3:GetAnalyticsConfiguration", "s3:PutBucketObjectLockConfiguration", "s3:GetObjectVersionForReplication", "s3:GetLifecycleConfiguration", "s3:GetInventoryConfiguration", "s3:GetBucketTagging", "s3:PutAccelerateConfiguration", "s3:DeleteObjectVersion", "s3:GetBucketLogging", "s3:ListBucketVersions", "s3:RestoreObject", "s3:ListBucket", "s3:GetAccelerateConfiguration", "s3:GetBucketPolicy", "s3:PutEncryptionConfiguration", "s3:GetEncryptionConfiguration", "s3:GetObjectVersionTorrent", "s3:AbortMultipartUpload", "s3:GetBucketRequestPayment", "s3:GetObjectTagging", "s3:GetMetricsConfiguration", "s3:DeleteBucket", "s3:PutBucketVersioning", "s3:GetBucketPublicAccessBlock", "s3:ListBucketMultipartUploads", "s3:PutMetricsConfiguration", "s3:GetBucketVersioning", "s3:GetBucketAcl", "s3:PutInventoryConfiguration", "s3:GetObjectTorrent", "s3:PutBucketWebsite", "s3:PutBucketRequestPayment", "s3:PutObjectRetention", "s3:GetBucketCORS", "s3:GetBucketLocation", "s3:ReplicateDelete", "s3:GetObjectVersion", "s3:PutBucketTagging" ], "Resource": [ "arn:aws:s3:::bucket-name/*", "arn:aws:s3:::bucket-name" ] } ] }
You must have the Access Key and Secret Key to access the Kyvos bundle. Contact Kyvos Support for details.
Valid Kyvos license file.
Creating CloudFormation template
The Kyvos CloudFormation template can create the following resources:
EKS for processing semantic model and aggregations.
EC2 instances for Kyvos services - BI Server, Query Engines, Kyvos Manager, Kyvos Web Portal, and Postgres.
S3 for storing Kyvos semantic model
RDS for use as Kyvos repository if you don't want to use the default Postgres database provided in the Kyvos package.
Lambda to use the scheduling (cluster ON) features.
API Gateway to get the Rest URL on the Lambda function.
CloudWatch event for scheduling the Kyvos BI Server.
Secrets Manager for storing passwords, like Kyvos DB password, Active Directory password, and SMTP password (if configured)
SecurityGroup for Databricks and Kyvos instances.
Note
The Security Group created by the template is allowed with all the requisite ports. To know more about specific inbound rules, see Port requirements.
You must ensure proper connectivity between the Security group being used by Databricks and the Kyvos instances
Important
Kyvos uses Lambda to start the BI Server instances. The CloudFormation template will create three Lambda functions for:
Scheduled start of the BI Server
Forced start of the BI Server
Display cluster status on the Kyvos Web UI.