5.3 KiB
aliases, description, keywords, menu, title
| aliases | description | keywords | menu | title | |||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
Link your Amazon Web Services account |
|
|
Link to Amazon Web Services hosts |
Link your Amazon Web Services account
You can register your AWS account credentials in your Docker Cloud account to deploy node clusters and nodes using Docker Cloud's dashboard, API or CLI. AWS Security Credentials are required so that Docker Cloud can interact with AWS on your behalf to create and manage your nodes (EC2 instances).
We recommend that you create a dockercloud-user service user with AWS IAM (Identity and Access Management). If you have already done this, skip to Add AWS Account Credentials
Create a dockercloud-user in AWS IAM
Although you can use any AWS credentials with the correct privileges, we recommend creating a new service user called dockercloud-user in AWS IAM.
-
Go to https://console.aws.amazon.com/iam/#users to access the IAM panel in AWS.
-
In AWS IAM, click Create New Users.
-
On the next screen enter
dockercloud-useras the username. -
Make sure the Generate an access key for each user checkbox is selected.
-
Click Create.
AWS shows you the
Access Key IDandSecret Access Keyfor the new service user. These credentials will not be shown again. -
Copy both or click Download Credentials to save them to a file on your local machine.
Create dockercloud-user policy
Before Docker Cloud can use the new user you just created, you need to give it specific privileges so it can provision EC2 resources on your behalf.
-
Go to the AWS IAM panel at https://console.aws.amazon.com/iam/home#policies
-
Click Create Policy.
-
On the next screen click Create Your Own Policy.
-
Name the policy
dockercloud-policyand paste the following text in the space provided for Policy Document.{ "Version": "2012-10-17", "Statement": [ { "Action": [ "ec2:*", "iam:ListInstanceProfiles" ], "Effect": "Allow", "Resource": "*" } ] }To limit the user to a specific region, use the policy below instead.
ec2:*allows the user to perform any operation in EC2.iam:ListInstanceProfilesallows the user to retrieve instance profiles to apply to your nodes.Note
: You cannot use an instance profile that has more permissions than the IAM user you are using with Docker Cloud. If you do that, you will get an "unauthorized operation" error. You can fix this issue by adding the
"Action":"iam:PassRole"permission to the policy for the service user. You can read more about this here -
Click Validate Policy.
-
If the validation is successful click Create Policy.
Limit dockercloud-user to a specific EC2 region
You can limit the dockercloud-user to a specific EC2 region using the following policy instead of the standard one presented above. To do this, replace the example region us-west-2 US West (Oregon) with your desired region.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ec2:*"
],
"Effect": "Allow",
"Resource": "*",
"Condition": {
"StringEquals": {
"ec2:Region": "us-west-2"
}
}
},
{
"Action": [
"iam:ListInstanceProfiles"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
Attach policy
- Return to the Users list in the AWS IAM panel at https://console.aws.amazon.com/iam/#users.
- Click the dockercloud-user to edit it.
- Click the Permissions tab.
- Click Attach Policy to open a list of access policies.
- Select the policy you just created.
- Click Attach Policy.
Add AWS account credentials
Once you've created the new dockercloud-user service user, have its
credentials, and set the custom policy that allows
Docker Cloud to use it, go back to Docker Cloud to add the service user's credentials.
-
In Docker Cloud, click Account info > Cloud Providers.
-
Click Add credentials next to Amazon Web Services.
-
Enter the
Access Key IDandSecret Access Keyfor the service user account.You can copy and paste these from the file you downloaded.
-
Click Save credentials.
What's next?
You're ready to start using AWS as the infrastructure provider for Docker Cloud! If you came here from the tutorial, click here to continue the tutorial and deploy your first node.