Permissions Configuration
Datafy requires basic AWS permissions to view the EC2 instances your volumes are attached to, and to control the creation and modification of EBS volumes.
These permissions are granted through a dedicated IAM role, and providing the ARN to Datafy.
Permissions are configured per AWS account. If you wish to install Datafy on multiple AWS accounts, the following steps need to be performed for each account.
Configure IAM Role
Create IAM Role
We provide CloudFormation and Terraform templates for creating an IAM role. The template creates an IAM OIDC identity provider and an IAM role. The identity provider is used to authenticate that only Datafy uses the created role.
When creating the role, define the permissions level of the role according to the Datafy product you intend to install:
Sensor permissions - the role provides read-only permissions. It allows to retrieve data about EC2 instances and the volumes attached to them.
AutoScaler permissions - the role includes all of the Sensor read-only permissions, and adds modification and creation permissions. The role allows creation, modification and deletion of EBS volumes, which are used to manage your EBS storage devices.
Create a new CloudFormation stack using the URL below as the template source (see screenshot).
https://datafy-public-bucket.s3.amazonaws.com/cloudformation-template/aws_iam/cloudformation.yaml
Use the dropdown in the Parameters section to choose the desire permissions level
You can create the role using the iam-role Terraform module. Examples and usage instructions can be found in the module documentation.
Define Role ARN in Datafy Account
In the Datafy dashboard, go to the Permissions section of the account settings. An Admin role is required to access the settings panel.
Fill in the ARN of the IAM role you just created.
The IAM role associated with the ARN will be validated. If the ARN is incorrect, or the permissions in the associated role are incorrect, you will receive an error.
If your AWS account has an attached organizational SCP the IAM role cannot be validated. Please contact support to complete your set up.
If you're using custom encrytion keys, please ensure that the Datafy role isn't restricted by your KMS policy. Datafy needs to be able to create volumes that "inherit" the keys of the original source volume that is being auto-scaled
Validate Configuration
After you've created and defined the IAM role, you can see all of the volumes in your account in the Datafy dashboard.
At this stage, you can view the AWS attributes of each volume, including its provisioned size, but not the actual utilization. To view the utilization of each volume, continue with the installation process.
Last updated
Was this helpful?