Note: When creating an IAM role for your application, always follow the principle of least permissions to minimize the security risks.
Create a key-pair
Amazon secures access to all instances with a private key. You will need to create a key-pair before you can launch any instances, and when you do launch an instance make sure you choose the correct key. When you create one you will save your private key on your PC.
AWS CLI access
Create an IAM Role for AWS CLI access
- From the AWS Console, navigate to IAM
- Add a new user
- Add the permissions you require. eg:
- S3FullAccess - Create/delete buckets, upload/download files
- EC2FullAccess - Start and terminate instances
- Enable "Programmatic Access"
- Record the "Access key ID" and "Secret Access Key"
Configure AWS CLI access on your computer
- You will need to install Python 3
- Install AWS CLI via pip:
pip3 install awscli
- Configure the AWS CLI with yor IAM Role credentials (created above)
aws configure
AWS Access Key ID [None]: <from AWS console>
AWS Secret Access Key [None]: <from AWS console>
Default region name [None]: <your region> (eg. us-east-1 or us-west-2)
Default output format [None]: json - Test your configuration:
aws sts get-caller-identity
Result:{
"UserId": <your ID>,
"Account": <your account number>,
"Arn": "arn:aws:iam::<your AIM role>
}
Create an IAM Role for your compute instances
Create an IAM (AWS Identity and Access Management) Roles that you can assign to instances when launching to give that instance access to specified AWS resources. For example, Lumerical products support loading files from S3 URLs, and by launching your instance with a role allowing S3 access, this integration will simply work. We recommend the following permission for your compute node IAM Role:
- S3FullAccess. This allows the script to download the job file and upload the results and logs when finished.
- EC2ReadOnly. This allows the script to discover all the servers and collect their IP addresses to launch distributed FDTD jobs
- Terminate instance access for EC2. This allows the script to terminate all the server instances when the job completes. You don’t need this if you want to terminate the servers manually in the console.
Video summary
If you are sharing your AWS account for other uses, you could set narrower permissions on this role and only allow access to specific AWS regions, S3 buckets, etc.