Provisioner host requirements
Provisioner host requirements¶
This section outlines the supplementary configuration and software required for the Provisioner host to deploy the DataRobot platform on the Amazon Elastic Kubernetes Service (EKS).
Note
You must fulfill the generic Provisioner host requirements before proceeding.
AWS CLI¶
The AWS Command Line Interface (AWS CLI) is an open-source tool that enables you to interact with AWS services using commands in your command-line shell. See Installing or updating to the latest version of the AWS CLI.
Provisioner node instance role¶
If you use a provisioner VM, DataRobot recommends configuring the VM with an IAM Instance Role and giving that role the appropriate permissions and policies to interact with the EKS cluster.
The following AWS-managed policies are recommended:
arn:aws:iam::aws:policy/AmazonEKSClusterPolicyarn:aws:iam::aws:policy/AmazonEC2ContainerRegistryFullAccessarn:aws:iam::aws:policy/AmazonEKSServicePolicyarn:aws:iam::aws:policy/AmazonS3ReadOnlyAccessarn:aws:iam::aws:policy/AmazonRoute53FullAccess
Additionally, you can add the below custom policies to facilitate the installation.
IAM read only¶
Provides comprehensive read-only access to IAM entities and configurations. It allows the entity to inspect, audit, and retrieve details about users, roles, policies, and security configurations within the AWS account.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"iam:GetPolicyVersion",
"iam:GetAccountPasswordPolicy",
"iam:ListRoleTags",
"iam:ListServerCertificates",
"iam:GenerateServiceLastAccessedDetails",
"iam:ListServiceSpecificCredentials",
"iam:ListSigningCertificates",
"iam:ListVirtualMFADevices",
"iam:ListSSHPublicKeys",
"iam:SimulateCustomPolicy",
"iam:SimulatePrincipalPolicy",
"iam:GetAccountEmailAddress",
"iam:ListAttachedRolePolicies",
"iam:ListOpenIDConnectProviderTags",
"iam:ListSAMLProviderTags",
"iam:ListRolePolicies",
"iam:GetAccountAuthorizationDetails",
"iam:GetCredentialReport",
"iam:ListPolicies",
"iam:GetServerCertificate",
"iam:GetRole",
"iam:ListSAMLProviders",
"iam:GetPolicy",
"iam:GetAccessKeyLastUsed",
"iam:ListEntitiesForPolicy",
"iam:GetUserPolicy",
"iam:ListGroupsForUser",
"iam:GetAccountName",
"iam:GetGroupPolicy",
"iam:GetOpenIDConnectProvider",
"iam:ListSTSRegionalEndpointsStatus",
"iam:GetRolePolicy",
"iam:GetAccountSummary",
"iam:GenerateCredentialReport",
"iam:GetServiceLastAccessedDetailsWithEntities",
"iam:ListPoliciesGrantingServiceAccess",
"iam:ListInstanceProfileTags",
"iam:ListMFADevices",
"iam:GetServiceLastAccessedDetails",
"iam:GetGroup",
"iam:GetContextKeysForPrincipalPolicy",
"iam:GetOrganizationsAccessReport",
"iam:GetServiceLinkedRoleDeletionStatus",
"iam:ListInstanceProfilesForRole",
"iam:GenerateOrganizationsAccessReport",
"iam:GetCloudFrontPublicKey",
"iam:ListAttachedUserPolicies",
"iam:ListAttachedGroupPolicies",
"iam:ListPolicyTags",
"iam:GetSAMLProvider",
"iam:ListAccessKeys",
"iam:GetInstanceProfile",
"iam:ListGroupPolicies",
"iam:ListCloudFrontPublicKeys",
"iam:GetSSHPublicKey",
"iam:ListRoles",
"iam:ListUserPolicies",
"iam:ListInstanceProfiles",
"iam:GetContextKeysForCustomPolicy",
"iam:ListPolicyVersions",
"iam:ListOpenIDConnectProviders",
"iam:ListServerCertificateTags",
"iam:ListAccountAliases",
"iam:ListUsers",
"iam:GetUser",
"iam:ListGroups",
"iam:ListMFADeviceTags",
"iam:GetLoginProfile",
"iam:ListUserTags"
],
"Resource": "*"
}
]
}