Configure c4 for AWS

This section explains how to configure Exasol Deployment Tool (c4) to deploy Exasol 8 on Amazon Web Services (AWS).


Create a configuration file

Exasol Deployment Tool (c4) has a large number of parameters that can be configured using a local configuration file. Parameters that are not included in the local configuration file will use default values that are internally stored in the application.

For more information about c4 configuration parameters, see Parameters in c4.

Parameters that are not described in this documentation should not be changed without consulting Exasol. Incorrectly set parameters may make the deployment invalid.

The configuration examples in this section use Linux shell syntax. Configuration parameters can also be defined in YAML or JSON format. For more information about c4 configuration formats, see Parameters in c4.

Mandatory parameters

The following parameters must always be defined in the local configuration file:

Parameter Description Default value
CCC_USER_EMAIL Email address to be used for deployment tagging. (empty)

Boolean for including an access node in the deployment.

The access node is required when carrying out operations that involve shutting down all the database nodes, such as when you want to vertically scale the main cluster (change instance types).

If this parameter is omitted or set to false, an access node will not be deployed.

CCC_PLAY_ADMIN_PASSWORD Password for COS authentication (user: admin). (empty)

Password for Exasol database authentication (user: sys).

For security reasons you should always change the default password.


Password used internally for running the deployments.

This password is only used internally and will not be required further, but a password must be explicitly set in the configuration file as there is no default value.

  1. In your home directory, create the directory ~/.ccc and an empty file ~/.ccc/config (using a text editor such as vim or nano).

    mkdir ~/.ccc
    vim ~/.ccc/config
  2. Define the mandatory parameters in the configuration file ~/.ccc/config. For example:

The CCC_USER_PASSWORD parameter must be set in the configuration file, otherwise the deployments will not start. This parameter does not have a default value.

Always replace the default passwords by setting unique, secure passwords in your configuration file. Never use the passwords that are used in the examples in the documentation.

Configure AWS parameters

Add the following parameters to the c4 configuration file ~/.ccc/config:

Parameter Description Default value
CCC_AWS_KEY_PAIR The name of the SSH key pair to be used in the deployed instances. For more information, see EC2 key pair . key-pair-missing
CCC_AWS_KEY_PAIR_FILE The name of the file with the private key of the SSH key pair specified in CCC_AWS_KEY_PAIR. The file must be located in the ~/.ssh/ directory. (empty)

The EC2 instance type to be used for the database nodes in the deployment. For more information about how to choose an instance type, see Choose EC2 Instance Type.

Instance types can be changed after deployment. For more information, see Scale a Cluster.


Boolean for disabling multi-factor authentication (MFA) in AWS.

MFA is enabled by default. If your AWS account does not require MFA, this parameter must be set to true. If MFA is required, this parameter must be set to false or omitted from the configuration file.


The AWS profile name to be used for the deployment.

When MFA is enabled, c4 will automatically append -mfa to the string value set in this parameter. This means that for the default profile, the actual profile name used in the deployment will be default-mfa.

Do not add -mfa in this parameter, as that will cause the deployment to fail.

CCC_AWS_REGION The AWS region where the deployments will be created. eu-west-1

Configure the AWS CLI

If the AWS CLI is not yet configured on your machine you must set it up with your AWS Access Key ID and Access Key. To configure the AWS CLI, use the command aws configure and proceed through the wizard.

For more information about configuring the AWS CLI, see AWS CLI Configuration Basics.

EC2 key pair

To be able to access your instances over SSH you must have an active EC2 key pair in your AWS account. The key pair that you specify will be associated with the EC2 instances and is used for authentication. For more information about authentication using EC2 keys, see Amazon EC2 key pairs.

You can create a new key pair or import an existing public key using either the AWS Console, the AWS CLI, or Windows PowerShell. The following examples use the AWS CLI method. For more details about how to create or import keys and about which key formats are supported, see Create key pairs.

Example 1: Create a new EC2 key pair using AWS CLI

In this example, the private key is saved in my-key-pair.pem

aws --profile default-mfa ec2 create-key-pair \
    --key-name my-key-pair \
    --query "KeyMaterial" \
    --output text > ~/.ssh/my-key-pair.pem

Example 2: Import an existing SSH public key using AWS CLI

In this example, the existing public key is imported to Amazon EC2.

aws --profile default-mfa ec2 import-key-pair \
    --key-name my-imported-key \
    --public-key-material fileb://~/.ssh/

If you use multi-factor authentication (MFA) and the parameter CCC_AWS_NO_MFA is set to false or omitted from the configuration, the profile name must be appended with -mfa in this command. For example: aws --profile default-mfa ec2 create-key-pair .... The -mfa suffix is added internally to the profile name defined in the c4 configuration when MFA is enabled, which means that if CCC_AWS_PROFILE is set to default, the actual profile name will be default-mfa.

Do not add -mfa to the profile name in the c4 configuration parameter, as this will cause the deployment to fail.

Private key permissions

The following requirements apply for SSH private keys:

  • The file containing the private key must be located in the ~/.ssh/ folder.

  • The owner of the private key file must be the user that will run c4 commands.

  • The private key must be protected with owner read-only permissions (0400).

    chmod 400 ~/.ssh/MyKeyPair.pem

The SSH key allows you to access the host system and the COS container of the deployment with the highest privileges. To maintain data security, make sure that the private key is generated with a passphrase and that the key file has adequate access restrictions.


To verify that all required configuration parameters have been set, use c4 config. For example:

$ c4 config

To verify that all dependencies for AWS are fulfilled and that the AWS account can be accessed, use c4 aws diag. For example:

$ c4 aws diag
[OK] aws tools are installed
[OK] jq is installed
[OK] pip is installed
[OK] aws version 1.16+
[OK] aws tools credentials are set
[OK] aws tools credentials are correct
[OK] exasol aws account is accessible
[OK] Private AWS SSH access key file found

Next steps

Configure Network Settings

The next step is to make sure that your deployment can communicate over the network. This section describes the necessary Amazon EC2 security group rules and the default ports used by Exasol.