Configure c4 for AWS

This section explains how to configure Exasol Deployment Tool (c4) to deploy Exasol 8 on Amazon Web Services (AWS).

Configuring c4 for AWS involves setting basic configuration parameters as well as parameters that are specific for the deployment platform, including configuring AWS access.

Prerequisites

Step 1: Create a c4 Configuration File

Exasol Deployment Tool (c4) has a large number of parameters that can be configured using a local configuration file. Parameters that are not included in the local configuration file will fall back on the default values, which are internally stored in the application.

For more information about c4 configuration parameters, see Parameters in c4.

Parameters that are not described in this documentation should not be changed without consulting Exasol. Incorrectly set parameters may make the deployment invalid.

The configuration examples in this section use Linux shell syntax. Configuration parameters can also be defined in YAML or JSON format. For more information about c4 configuration formats, see Parameters in c4.

Mandatory Parameters

The following parameters must always be defined in the local configuration file:

Parameter Description Default value
CCC_USER_EMAIL Email address to be used for deployment tagging. (empty)
CCC_PLAY_ACCESS_NODE

Boolean for including an access node in the deployment.

If this parameter is omitted or set to false, an access node will not be deployed and the Administration API cannot be used to manage the instance.

true
CCC_PLAY_ADMIN_PASSWORD Password for COS authentication (user: admin). (empty)
CCC_PLAY_DB_PASSWORD

Password for Exasol database authentication (user: sys).

For security reasons you should always change the default password.

 exasol
CCC_USER_PASSWORD

Password used internally for running the deployments.

This password is only used internally and will not be required further, but a password must be explicitly set in the configuration file as there is no default value.

 (empty)

  1. In your home directory, create the directory ~/.ccc and an empty file ~/.ccc/config (using a text editor such as vim or nano). 

    mkdir ~/.ccc
    vim ~/.ccc/config

  2. Define the mandatory parameters in the configuration file ~/.ccc/config. For example:

    CCC_USER_EMAIL=my.name@example.com
    CCC_PLAY_ACCESS_NODE=true
    CCC_PLAY_ADMIN_PASSWORD=sdf87934kh&8_yg7
    CCC_PLAY_DB_PASSWORD=R_&hkjgKjgnvP#9x
    CCC_USER_PASSWORD=98f*7jhgdf_Yfe

Always replace the default passwords by setting unique, secure passwords in your configuration file. Never use the passwords that are used in the examples in the documentation.

The CCC_USER_PASSWORD parameter must be set in the configuration file, otherwise the deployments will not start. This parameter does not have a default value.

Step 2: Configure AWS Parameters

Add the following parameters to the c4 configuration file ~/.ccc/config:

Parameter Description Default value
CCC_AWS_KEY_PAIR The name of the SSH key pair to be used in the deployed instances. For more information, see EC2 Key Pair . key-pair-missing
CCC_AWS_KEY_PAIR_FILE The name of the file with the private key of the SSH key pair specified in CCC_AWS_KEY_PAIR. The file must be located in the ~/.ssh/ directory. (empty)
CCC_AWS_INSTANCE_TYPE

The EC2 instance type to be used for the database nodes in the deployment. For more information about how to choose an instance type, see Choose EC2 Instance Type.

Instance types can be changed after deployment. For more information, see Scale a Cluster.

 c5d.2xlarge
CCC_AWS_NO_MFA

Boolean for disabling multi-factor authentication (MFA) in AWS.

MFA is enabled by default. If your AWS account does not require MFA, this parameter must be set to true. If MFA is required, this parameter must be set to false or omitted from the configuration file.

false
CCC_AWS_PROFILE

The AWS profile name to be used for the deployment.

When MFA is enabled, c4 will automatically append -mfa to the string value set in this parameter. This means that for the default profile, the actual profile name used in the deployment will be default-mfa.

Do not add -mfa in this parameter, as that will cause the deployment to fail.

default
CCC_AWS_REGION The AWS region where the deployments will be created. eu-west-1

AWS CLI Configuration

If the AWS CLI is not yet configured on your machine you must set it up with your AWS Access Key ID and Access Key. To configure the AWS CLI, use the command aws configure and proceed through the wizard.

For more information about configuring the AWS CLI, see AWS CLI Configuration Basics.

EC2 Key Pair

To be able to access your instances over SSH you must have an active EC2 key pair in your AWS account. The key pair that you specify will be associated with the EC2 instances and is used for authentication. For more information about authentication using EC2 keys, see Amazon EC2 key pairs.

You can create a new key pair or import an existing public key using either the AWS Console, the AWS CLI, or Windows PowerShell. The following examples use the AWS CLI method. For more details about how to create or import keys and about which key formats are supported, see Create key pairs.

Example 1: Create a new EC2 Key Pair using AWS CLI

In this example, the private key is saved in my-key-pair.pem

aws --profile default-mfa ec2 create-key-pair \
    --key-name my-key-pair \
    --query "KeyMaterial" \
    --output text > ~/.ssh/my-key-pair.pem

Example 2: Import an existing SSH public key using AWS CLI

In this example, the existing public key my-key.pub is imported to Amazon EC2.

aws --profile default-mfa ec2 import-key-pair \
    --key-name my-imported-key \
    --public-key-material fileb://~/.ssh/my-key.pub

If you use multi-factor authentication (MFA) and the parameter CCC_AWS_NO_MFA is set to false or omitted from the configuration, the profile name must be appended with -mfa in this command. For example: aws --profile default-mfa ec2 create-key-pair .... The -mfa suffix is added internally to the profile name defined in the c4 configuration when MFA is enabled, which means that if CCC_AWS_PROFILE is set to default, the actual profile name will be default-mfa.

Do not add -mfa to the profile name in the c4 configuration parameter, as that will cause the deployment to fail.

Private Key Permissions

The SSH key allows you to access the host system and the COS container of the deployment with the highest privileges. To maintain data security, make sure that the private key is generated with a passphrase and that the key file has adequate access restrictions.

The following requirements apply for SSH private keys:

  • The file containing the private key must be located in the ~/.ssh/ folder.

  • The owner of the private key file must be the user that will run c4 commands.

  • The private key must be protected with owner read-only permissions (0400). 

    chmod 400 ~/.ssh/MyKeyPair.pem

Validation

To verify that all required configuration parameters have been set, use c4 config. For example:

$ c4 config
CCC_USER_EMAIL=my.name@example.com
CCC_PLAY_ACCESS_NODE=true
CCC_PLAY_ADMIN_PASSWORD=sdf87934kh&8_yg7
CCC_PLAY_DB_PASSWORD=R_&hkjgKjgnvP#9x
CCC_USER_PASSWORD=98f*7jhgdf_Yfe
CCC_AWS_PROFILE=default
CCC_AWS_REGION=eu-west-1
CCC_AWS_KEY_PAIR=ic-pair1
CCC_AWS_KEY_PAIR_FILE=ic-pair1.pem

To verify that all dependencies for AWS are fulfilled and that the AWS account is accessible, use c4 aws diag. For example:

$ c4 aws diag
[OK] aws tools are installed
[OK] jq is installed
[OK] pip is installed
[OK] aws version 1.16+
[OK] aws tools credentials are set
[OK] aws tools credentials are correct
[OK] exasol aws account is accessible
[OK] Private AWS SSH access key file found

Next Steps