Prerequisites for Wizard-based Deployment on AWS with Kyvos Native
Applies to: Kyvos Enterprise Kyvos Cloud (SaaS on AWS) Kyvos AWS Marketplace
Kyvos Azure Marketplace  Kyvos GCP Marketplace Kyvos Single Node Installation (Kyvos SNI)
Kyvos provides the following methods for wizard-based deployment on AWS:
Using Kyvos public AMI
Depending upon your type of installation, you will need to ensure that the corresponding prerequisites are available.
Important
Download the AWS Installation Files folder and keep all the requisite files handy during installation and deployment.Â
Common prerequisites
Regardless of the type of installation, the following prerequisites should be available.
EC2Â key pair, consisting of a private key and a public key. You can create the key pair if needed.
Networking requirements
Use the Network CloudFormation template to automatically create network resources (VPC, Subnet, and Security Group).Â
If you want to deploy your network with NAT Gateway, use the NATGateway Template (vpc_nat.json file in the installation folder).
If you want to deploy your network with Endpoints, use the Endpoints Template ( vpc_internet_gateway.json file in the installation folder).
ORIf you want to use existing network resources, perform the following steps in your VPC.Â
You must create VPC Endpoints within your VPC to connect with the AWS services. Else, you must have the internet and NAT Gateway in the subnet.
List of VPC Endpoints for AWS services required by Kyvos:
In the table below, change the {AWS-REGION} according to the region in which you are deploying Kyvos.
AWS does not provide a VPC endpoint for the Cost explorer service, so the Kyvos Resource Usage feature will not work without internet access.
AWS Service Name | Description/Purpose | VPC Endpoint Name |
---|---|---|
CloudWatch logs | Used to send bootstrap logs of the EC2 machines to CloudWatch Logs. | com.amazonaws.{AWS-REGION}.logs |
CloudFormation | Used by Kyvos Manager at the time of deployment to validate and get details from the AWS stack in CloudFormation. | com.amazonaws.{AWS-REGION}.cloudformation |
CloudWatch Event | Used to schedule events on CloudWatch Event for scheduled starting of the Kyvos BI Server. | com.amazonaws.{AWS-REGION}.events |
S3 | Used to connect to S3 bucket for reading raw data and writing metadata. | com.amazonaws.{AWS-REGION}.s3 |
RDS | Used for scheduled start/stop of the Kyvos cluster along with RDS. | com.amazonaws.{AWS-REGION}.rds |
EC2 | Used by Kyvos Manager to describe EC2 and Kyvos BI Server for scheduled start/stop of Query Engines. | com.amazonaws.{AWS-REGION}.ec2 |
Secrets Manager | Used by the Kyvos BI Server to get the passwords stored in AWS Secrets Manager. | com.amazonaws.${AWS-REGION}.secretsmanager |
Permission requirements
You can create IAM roles using the CloudFormation template (wizard_based_deployment_iam_role.json file).
ORCreate IAM Role for:
Lambda that will be attached to the Kyvos-created Lambda functions. This role contains all the permissions required by lambda functions to run.
Download the ec2_iam_policy.json and lambda_iam_policy.json files in the installation folder.
S3 Bucket permissions for using existing bucket
If you want to use an existing S3 bucket and IAM role, or if you want to read data from an S3 bucket other than where Kyvos is deployed, then the IAM role must have the following permissions on the S3 bucket.
Important
Ensure that the bucket name confirms to AWS naming convention. Additionally, Kyvos does not allow dot (.) to be used for Bucket Name
Here, replace:
<Bucket Name> with the name of your bucket name.
<Lambda Role> with the name of your Lambda Role.
<EC2 Role> with the name of your EC2 Role.
<kyvosEksOidcrole> Copy the IAM role of Service Account.
To copy the IAM role of Service Account, perform the following steps.Login to AWS with your credentials.
Search for EKS.
On the EKS page, click the Add-ons tab.
Navigate to the Mountpoint for Amazon S3v CSI Driver section and copy the ARN role of OIDC.
<NodeGroupRole> Copy the Node IAM role ARN that will be attached to your Kyvos EKS cluster’s node group.
To copy the Node IAM role ARN role, perform the following steps.Login to AWS with your credentials.
Search for EKS.
On the EKS page, click the Compute tab.
Navigate to the Node Groups section and click the group name.
The Details section is displayed. Copy the Node IAM role ARN.
Open the deployment bucket permission section and add the ARN of OIDC (see, line number 11) and Node group (see, line number 9) role in the array.
{ "Version": "2008-10-17", "Statement": [ { "Sid": "Ec2LambdaRoleBucketPolicy", "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::815559998352:role/NodeGroupRole-user8s10", "arn:aws:iam::815559998352:role/kyvos-ec2-role-build-automation-iam-roles-2024-3-2", "arn:aws:iam::815559998352:role/kyvosEksOidcrole-userk8s10", "arn:aws:iam::815559998352:role/kyvos-lambda-role-build-automation-iam-roles-2024-3-2" ] }, "Action": [ "s3:PutAnalyticsConfiguration", "s3:GetObjectVersionTagging", "s3:ReplicateObject", "s3:GetObjectAcl", "s3:GetBucketObjectLockConfiguration", "s3:DeleteBucketWebsite", "s3:PutLifecycleConfiguration", "s3:GetObjectVersionAcl", "s3:DeleteObject", "s3:GetBucketPolicyStatus", "s3:GetObjectRetention", "s3:GetBucketWebsite", "s3:PutReplicationConfiguration", "s3:PutObjectLegalHold", "s3:GetObjectLegalHold", "s3:GetBucketNotification", "s3:PutBucketCORS", "s3:GetReplicationConfiguration", "s3:ListMultipartUploadParts", "s3:PutObject", "s3:GetObject", "s3:PutBucketNotification", "s3:PutBucketLogging", "s3:GetAnalyticsConfiguration", "s3:PutBucketObjectLockConfiguration", "s3:GetObjectVersionForReplication", "s3:GetLifecycleConfiguration", "s3:GetInventoryConfiguration", "s3:GetBucketTagging", "s3:PutAccelerateConfiguration", "s3:DeleteObjectVersion", "s3:GetBucketLogging", "s3:ListBucketVersions", "s3:RestoreObject", "s3:ListBucket", "s3:GetAccelerateConfiguration", "s3:GetBucketPolicy", "s3:PutEncryptionConfiguration", "s3:GetEncryptionConfiguration", "s3:GetObjectVersionTorrent", "s3:AbortMultipartUpload", "s3:GetBucketRequestPayment", "s3:GetObjectTagging", "s3:GetMetricsConfiguration", "s3:DeleteBucket", "s3:PutBucketVersioning", "s3:GetBucketPublicAccessBlock", "s3:ListBucketMultipartUploads", "s3:PutMetricsConfiguration", "s3:GetBucketVersioning", "s3:GetBucketAcl", "s3:PutInventoryConfiguration", "s3:GetObjectTorrent", "s3:PutBucketWebsite", "s3:PutBucketRequestPayment", "s3:PutObjectRetention", "s3:GetBucketCORS", "s3:GetBucketLocation", "s3:ReplicateDelete", "s3:GetObjectVersion", "s3:PutBucketTagging" ], "Resource": [ "arn:aws:s3:::kyvos-user8s10-47948/*", "arn:aws:s3:::kyvos-userk8s10-47948" ] } ] }
Add below permissions in AWS Wizard based IAM role for listing and describing EKS cluster
"EKSPolicy": { "Type": "AWS::IAM::Policy", "Condition": "EKSClusterPermissionsInclusion", "Properties": { "PolicyName": "eks-policy", "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Sid": "EksDescribeKM", "Effect": "Allow", "Action": [ "eks:ListClusters", "eks:DescribeCluster", "eks:ListNodegroups", "eks:DescribeNodegroup", "eks:DescribeAddon" ], "Resource": "*" }, {
You must have the Access Key and Secret Key to access the Kyvos bundle. Contact Kyvos Support for details.
Valid Kyvos license file.
Create an EKS cluster using CreateEks.json.
Run the following commands one by one on every Kyvos node to install kubectl
curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip" unzip awscliv2.zip sudo ./aws/install --bin-dir /usr/local/bin/ --install-dir /usr/local/aws-cli --update o curl -O https://s3.us-west-2.amazonaws.com/amazon-eks/1.29.3/2024-04-19/bin/linux/amd64/kubectl chmod +x ./kubectl sudo chown kyvos:kyvos kubectl sudo mv kubectl /bin/ sudo mkdir -p /home/kyvos/.kube sudo chown -R kyvos:kyvos /home/kyvos/.kube
Run the commands below from sudo user on Kyvos Manager node to install eksctl.
Once the EKS cluster is created, go to the created node then go to Security.
Click the eks-cluster-sg-kyvosEks-{STACK-NAME}-random number as Security group.
Add inbound rule to the above security group with TCP 6903 and source group will be the Security Group attached to the BI server.
Add inbound rule to the Web server security group with TCP 2181 and source group will be the Security Group which was mentioned above (eks-cluster-sg-kyvosEks-{STACK-NAME}-random number).
Add inbound rule to the BI Server security group with TCP 2181 and source group will be the Security Group which was mentioned above (eks-cluster-sg-kyvosEks-{STACK-NAME}-random number).
Add inbound rule to the BI Server security group with TCP 45460 and source group will be the Security Group which was mentioned above (eks-cluster-sg-kyvosEks-{STACK-NAME}-random number).
Add inbound rule to the BI Server security group with TCP 6803 and source group will be the Security Group which was mentioned above (eks-cluster-sg-kyvosEks-{STACK-NAME}-random number).
Open the deployment bucket permission section and add the ARN of OIDC and Node group role in the array.
Ensure that the required ports are available.
Ensure that the required OS Commands used by Kyvos Manager are available on all the machines.
Copyright Kyvos, Inc. All rights reserved.