-
Notifications
You must be signed in to change notification settings - Fork 7.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Updated docs to remove beta and stable link #1160
Changes from 1 commit
ea6566d
de10cf4
ed9202a
3c37a19
6d3c643
6b63fa1
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,313 @@ | ||
--- | ||
description: IAM permissions | ||
keywords: aws iam permissions | ||
title: Docker for AWS IAM permissions | ||
--- | ||
|
||
Here is a list of IAM permissions that are required in order to use Docker for AWS. | ||
|
||
If you want to deploy Docker for AWS, your account will need to have these permission, or else the stack will not | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Before you deploy Docker for AWS, your account needs these permissions for the stack to deploy correctly If you create and use an IAM role with these permissions for creating the stack, CloudFormation will use the role's permissions instead of your own, using the AWS CloudFormation Service Role feature. |
||
deploy correctly. It is possible to create an IAM role with these permissions, and use that role when creating the | ||
stack, and CloudFormation will use the role's permissions instead of your own. This feature is called [AWS CloudFormation Service Role](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-iam-servicerole.html?icmpid=docs_cfn_console) | ||
follow the link for more information. | ||
|
||
``` | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Can you change the hinting to |
||
{% raw %} | ||
{ | ||
"Version": "2012-10-17", | ||
"Statement": [ | ||
{ | ||
"Sid": "Stmt1481924239005", | ||
"Effect": "Allow", | ||
"Action": [ | ||
"cloudformation:CancelUpdateStack", | ||
"cloudformation:ContinueUpdateRollback", | ||
"cloudformation:CreateChangeSet", | ||
"cloudformation:CreateStack", | ||
"cloudformation:CreateUploadBucket", | ||
"cloudformation:DeleteStack", | ||
"cloudformation:DescribeAccountLimits", | ||
"cloudformation:DescribeChangeSet", | ||
"cloudformation:DescribeStackEvents", | ||
"cloudformation:DescribeStackResource", | ||
"cloudformation:DescribeStackResources", | ||
"cloudformation:DescribeStacks", | ||
"cloudformation:EstimateTemplateCost", | ||
"cloudformation:ExecuteChangeSet", | ||
"cloudformation:GetStackPolicy", | ||
"cloudformation:GetTemplate", | ||
"cloudformation:GetTemplateSummary", | ||
"cloudformation:ListChangeSets", | ||
"cloudformation:ListStackResources", | ||
"cloudformation:ListStacks", | ||
"cloudformation:PreviewStackUpdate", | ||
"cloudformation:SetStackPolicy", | ||
"cloudformation:SignalResource", | ||
"cloudformation:UpdateStack", | ||
"cloudformation:ValidateTemplate" | ||
], | ||
"Resource": [ | ||
"*" | ||
] | ||
}, | ||
{ | ||
"Sid": "Stmt1481924344000", | ||
"Effect": "Allow", | ||
"Action": [ | ||
"ec2:AllocateHosts", | ||
"ec2:AssignPrivateIpAddresses", | ||
"ec2:AssociateRouteTable", | ||
"ec2:AttachInternetGateway", | ||
"ec2:AttachNetworkInterface", | ||
"ec2:AttachVolume", | ||
"ec2:CreateInternetGateway", | ||
"ec2:CreateNatGateway", | ||
"ec2:CreateNetworkAcl", | ||
"ec2:CreateNetworkAclEntry", | ||
"ec2:CreateNetworkInterface", | ||
"ec2:CreateRoute", | ||
"ec2:CreateRouteTable", | ||
"ec2:CreateSecurityGroup", | ||
"ec2:CreateSubnet", | ||
"ec2:CreateTags", | ||
"ec2:CreateVolume", | ||
"ec2:CreateVpc", | ||
"ec2:DeleteInternetGateway", | ||
"ec2:DeleteNatGateway", | ||
"ec2:DeleteNetworkAcl", | ||
"ec2:DeleteNetworkAclEntry", | ||
"ec2:DeleteNetworkInterface", | ||
"ec2:DeleteRoute", | ||
"ec2:DeleteRouteTable", | ||
"ec2:DeleteSecurityGroup", | ||
"ec2:DeleteSubnet", | ||
"ec2:DeleteTags", | ||
"ec2:DeleteVolume", | ||
"ec2:DeleteVpc", | ||
"ec2:DescribeAccountAttributes", | ||
"ec2:DescribeAvailabilityZones", | ||
"ec2:DescribeHosts", | ||
"ec2:DescribeImageAttribute", | ||
"ec2:DescribeImages", | ||
"ec2:DescribeInstanceStatus", | ||
"ec2:DescribeInstances", | ||
"ec2:DescribeInternetGateways", | ||
"ec2:DescribeKeyPairs", | ||
"ec2:DescribeNetworkInterfaces", | ||
"ec2:DescribeRegions", | ||
"ec2:DescribeRouteTables", | ||
"ec2:DescribeSecurityGroups", | ||
"ec2:DescribeSubnets", | ||
"ec2:DescribeTags", | ||
"ec2:DescribeVolumeAttribute", | ||
"ec2:DescribeVolumeStatus", | ||
"ec2:DescribeVolumes", | ||
"ec2:DescribeVpcAttribute", | ||
"ec2:DescribeVpcs", | ||
"ec2:DetachInternetGateway", | ||
"ec2:DetachNetworkInterface", | ||
"ec2:DetachVolume", | ||
"ec2:DisassociateAddress", | ||
"ec2:DisassociateRouteTable", | ||
"ec2:GetConsoleOutput", | ||
"ec2:GetConsoleScreenshot", | ||
"ec2:ModifyVpcAttribute", | ||
"ec2:RebootInstances", | ||
"ec2:ReleaseAddress", | ||
"ec2:ReleaseHosts", | ||
"ec2:RevokeSecurityGroupEgress", | ||
"ec2:RevokeSecurityGroupIngress", | ||
"ec2:RunInstances", | ||
"ec2:StartInstances", | ||
"ec2:StopInstances", | ||
"ec2:TerminateInstances" | ||
], | ||
"Resource": [ | ||
"*" | ||
] | ||
}, | ||
{ | ||
"Sid": "Stmt1481924651000", | ||
"Effect": "Allow", | ||
"Action": [ | ||
"autoscaling:AttachInstances", | ||
"autoscaling:AttachLoadBalancers", | ||
"autoscaling:CompleteLifecycleAction", | ||
"autoscaling:CreateAutoScalingGroup", | ||
"autoscaling:CreateLaunchConfiguration", | ||
"autoscaling:CreateOrUpdateTags", | ||
"autoscaling:DeleteAutoScalingGroup", | ||
"autoscaling:DeleteLaunchConfiguration", | ||
"autoscaling:DeleteLifecycleHook", | ||
"autoscaling:DeleteNotificationConfiguration", | ||
"autoscaling:DeletePolicy", | ||
"autoscaling:DeleteScheduledAction", | ||
"autoscaling:DeleteTags", | ||
"autoscaling:DescribeAccountLimits", | ||
"autoscaling:DescribeAutoScalingGroups", | ||
"autoscaling:DescribeAutoScalingInstances", | ||
"autoscaling:DescribeAutoScalingNotificationTypes", | ||
"autoscaling:DescribeLaunchConfigurations", | ||
"autoscaling:DescribeLifecycleHookTypes", | ||
"autoscaling:DescribeLifecycleHooks", | ||
"autoscaling:DescribeLoadBalancers", | ||
"autoscaling:DescribeScalingActivities", | ||
"autoscaling:DescribeTags", | ||
"autoscaling:DetachInstances", | ||
"autoscaling:DetachLoadBalancers", | ||
"autoscaling:DisableMetricsCollection", | ||
"autoscaling:EnableMetricsCollection", | ||
"autoscaling:EnterStandby", | ||
"autoscaling:ExecutePolicy", | ||
"autoscaling:ExitStandby", | ||
"autoscaling:PutLifecycleHook", | ||
"autoscaling:PutNotificationConfiguration", | ||
"autoscaling:PutScalingPolicy", | ||
"autoscaling:PutScheduledUpdateGroupAction", | ||
"autoscaling:RecordLifecycleActionHeartbeat", | ||
"autoscaling:ResumeProcesses", | ||
"autoscaling:SetDesiredCapacity", | ||
"autoscaling:SetInstanceHealth", | ||
"autoscaling:SetInstanceProtection", | ||
"autoscaling:SuspendProcesses", | ||
"autoscaling:TerminateInstanceInAutoScalingGroup", | ||
"autoscaling:UpdateAutoScalingGroup" | ||
], | ||
"Resource": [ | ||
"*" | ||
] | ||
}, | ||
{ | ||
"Sid": "Stmt1481924759004", | ||
"Effect": "Allow", | ||
"Action": [ | ||
"dynamodb:CreateTable", | ||
"dynamodb:DeleteItem", | ||
"dynamodb:DeleteTable", | ||
"dynamodb:DescribeTable", | ||
"dynamodb:GetItem", | ||
"dynamodb:ListTables", | ||
"dynamodb:PutItem", | ||
"dynamodb:Query", | ||
"dynamodb:UpdateItem", | ||
"dynamodb:UpdateTable" | ||
], | ||
"Resource": [ | ||
"*" | ||
] | ||
}, | ||
{ | ||
"Sid": "Stmt1481924854000", | ||
"Effect": "Allow", | ||
"Action": [ | ||
"logs:CreateLogGroup", | ||
"logs:CreateLogStream", | ||
"logs:DeleteLogGroup", | ||
"logs:DeleteLogStream", | ||
"logs:DescribeLogGroups", | ||
"logs:GetLogEvents", | ||
"logs:PutLogEvents", | ||
"logs:PutRetentionPolicy" | ||
], | ||
"Resource": [ | ||
"*" | ||
] | ||
}, | ||
{ | ||
"Sid": "Stmt1481924989003", | ||
"Effect": "Allow", | ||
"Action": [ | ||
"sqs:ChangeMessageVisibility", | ||
"sqs:CreateQueue", | ||
"sqs:DeleteMessage", | ||
"sqs:DeleteQueue", | ||
"sqs:GetQueueAttributes", | ||
"sqs:GetQueueUrl", | ||
"sqs:ListQueues", | ||
"sqs:ReceiveMessage", | ||
"sqs:SendMessage", | ||
"sqs:SetQueueAttributes" | ||
], | ||
"Resource": [ | ||
"*" | ||
] | ||
}, | ||
{ | ||
"Sid": "Stmt1481924989002", | ||
"Effect": "Allow", | ||
"Action": [ | ||
"iam:AddRoleToInstanceProfile", | ||
"iam:CreateInstanceProfile", | ||
"iam:CreateRole", | ||
"iam:DeleteInstanceProfile", | ||
"iam:DeleteRole", | ||
"iam:DeleteRolePolicy", | ||
"iam:GetRole", | ||
"iam:PassRole", | ||
"iam:PutRolePolicy", | ||
"iam:RemoveRoleFromInstanceProfile" | ||
], | ||
"Resource": [ | ||
"*" | ||
] | ||
}, | ||
{ | ||
"Sid": "Stmt1481924989001", | ||
"Effect": "Allow", | ||
"Action": [ | ||
"elasticloadbalancing:AddTags", | ||
"elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", | ||
"elasticloadbalancing:AttachLoadBalancerToSubnets", | ||
"elasticloadbalancing:ConfigureHealthCheck", | ||
"elasticloadbalancing:CreateListener", | ||
"elasticloadbalancing:CreateLoadBalancer", | ||
"elasticloadbalancing:CreateLoadBalancerListeners", | ||
"elasticloadbalancing:CreateLoadBalancerPolicy", | ||
"elasticloadbalancing:CreateRule", | ||
"elasticloadbalancing:CreateTargetGroup", | ||
"elasticloadbalancing:DeleteListener", | ||
"elasticloadbalancing:DeleteLoadBalancer", | ||
"elasticloadbalancing:DeleteLoadBalancerListeners", | ||
"elasticloadbalancing:DeleteLoadBalancerPolicy", | ||
"elasticloadbalancing:DeleteRule", | ||
"elasticloadbalancing:DeleteTargetGroup", | ||
"elasticloadbalancing:DeregisterInstancesFromLoadBalancer", | ||
"elasticloadbalancing:DeregisterTargets", | ||
"elasticloadbalancing:DescribeInstanceHealth", | ||
"elasticloadbalancing:DescribeListeners", | ||
"elasticloadbalancing:DescribeLoadBalancerAttributes", | ||
"elasticloadbalancing:DescribeLoadBalancerPolicyTypes", | ||
"elasticloadbalancing:DescribeLoadBalancerPolicies", | ||
"elasticloadbalancing:DescribeLoadBalancers", | ||
"elasticloadbalancing:DescribeRules", | ||
"elasticloadbalancing:DescribeSSLPolicies", | ||
"elasticloadbalancing:DescribeTags", | ||
"elasticloadbalancing:DescribeTargetGroupAttributes", | ||
"elasticloadbalancing:DescribeTargetGroups", | ||
"elasticloadbalancing:DescribeTargetHealth", | ||
"elasticloadbalancing:DetachLoadBalancerFromSubnets", | ||
"elasticloadbalancing:DisableAvailabilityZonesForLoadBalancer", | ||
"elasticloadbalancing:EnableAvailabilityZonesForLoadBalancer", | ||
"elasticloadbalancing:ModifyListener", | ||
"elasticloadbalancing:ModifyLoadBalancerAttributes", | ||
"elasticloadbalancing:ModifyRule", | ||
"elasticloadbalancing:ModifyTargetGroup", | ||
"elasticloadbalancing:ModifyTargetGroupAttributes", | ||
"elasticloadbalancing:RegisterTargets", | ||
"elasticloadbalancing:RegisterInstancesWithLoadBalancer", | ||
"elasticloadbalancing:RemoveTags", | ||
"elasticloadbalancing:SetLoadBalancerListenerSSLCertificate", | ||
"elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", | ||
"elasticloadbalancing:SetLoadBalancerPoliciesOfListener", | ||
"elasticloadbalancing:SetRulePriorities", | ||
"elasticloadbalancing:SetSecurityGroups", | ||
"elasticloadbalancing:SetSubnets" | ||
], | ||
"Resource": [ | ||
"*" | ||
] | ||
} | ||
] | ||
} | ||
{% endraw %} | ||
``` |
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -7,18 +7,19 @@ redirect_from: | |
- /engine/installation/amazon/ | ||
--- | ||
|
||
|
||
## Prerequisites | ||
|
||
- Access to an AWS account with permissions to use CloudFormation and creating the following objects | ||
- Access to an AWS account with permissions to use CloudFormation and creating the following objects. [Full set of required permissions](iam-permissions.md). | ||
- EC2 instances + Auto Scaling groups | ||
- IAM profiles | ||
- DynamoDB Tables | ||
- SQS Queue | ||
- VPC + subnets | ||
- VPC + subnets and security groups | ||
- ELB | ||
- CloudWatch Log Group | ||
- SSH key in AWS in the region where you want to deploy (required to access the completed Docker install) | ||
- AWS account that support EC2-VPC (See the [FAQ for details about EC2-Classic](../faq/aws.md)) | ||
- AWS account that support EC2-VPC (See the [FAQ for details about EC2-Classic](faqs.md)) | ||
|
||
For more information about adding an SSH key pair to your account, please refer to the [Amazon EC2 Key Pairs docs](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html) | ||
|
||
|
@@ -38,7 +39,7 @@ The EC2 instance type for your worker nodes. | |
The EC2 instance type for your manager nodes. The larger your swarm, the larger the instance size you should use. | ||
|
||
#### ClusterSize | ||
The number of workers you want in your swarm (1-1000). | ||
The number of workers you want in your swarm (0-1000). | ||
|
||
#### ManagerSize | ||
The number of Managers in your swarm. You can pick either 1, 3 or 5 managers. We only recommend 1 manager for testing and dev setups. There are no failover guarantees with 1 manager — if the single manager fails the swarm will go down as well. Additionally, upgrading single-manager swarms is not currently guaranteed to succeed. | ||
|
@@ -81,7 +82,7 @@ Go to the [Release Notes](release-notes.md) page, and click on the "launch stack | |
You can also invoke the Docker for AWS CloudFormation template from the AWS CLI: | ||
|
||
Here is an example of how to use the CLI. Make sure you populate all of the parameters and their values: | ||
``` | ||
```bash | ||
$ aws cloudformation create-stack --stack-name teststack --template-url <templateurl> --parameters ParameterKey=KeyName,ParameterValue=<keyname> ParameterKey=InstanceType,ParameterValue=t2.micro ParameterKey=ManagerInstanceType,ParameterValue=t2.micro ParameterKey=ClusterSize,ParameterValue=1 --capabilities CAPABILITY_IAM | ||
``` | ||
|
||
|
@@ -91,7 +92,7 @@ To fully automate installs, you can use the [AWS Cloudformation API](http://docs | |
|
||
Docker for AWS starts with a CloudFormation template that will create everything that you need from scratch. There are only a few prerequisites that are listed above. | ||
|
||
It first starts off by creating a new VPC along with subnets and security groups. Once the networking is set up, it will create two Auto Scaling Groups, one for the managers and one for the workers, and set the desired capacity that was selected in the CloudFormation setup form. The managers will start up first and create a Swarm manager quorum using Raft. The workers will then start up and join the swarm one by one, until all of the workers are up and running. At this point you will have x number of managers and y number of workers in your swarm, that are ready to handle your application deployments. See the [deployment](../deploy.md) docs for your next steps. | ||
It first starts off by creating a new VPC along with subnets and security groups. Once the networking is set up, it will create two Auto Scaling Groups, one for the managers and one for the workers, and set the desired capacity that was selected in the CloudFormation setup form. The managers will start up first and create a Swarm manager quorum using Raft. The workers will then start up and join the swarm one by one, until all of the workers are up and running. At this point you will have x number of managers and y number of workers in your swarm, that are ready to handle your application deployments. See the [deployment](deploy.md) docs for your next steps. | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. The CloudFormation template first creates a new VPC along with... After the networking set-up completes, two Auto Scaling Groups are created, one for ... and the configured capacity setting is applied. Managers start first and create a quorum using Raft, then the workers start and join the swarm one at a time. At this point, the swarm is comprised of X number of managers and Y number of workers, and you can deploy your applications. |
||
|
||
If you increase the number of instances running in your worker Auto Scaling Group (via the AWS console, or updating the CloudFormation configuration), the new nodes that will start up will automatically join the swarm. | ||
|
||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The following IAM permissions are required to use Docker for AWS.