# Deployment Guide ### Prerequisites Before deploying the CloudFormation template, ensure you have: * AWS account with permissions to create IAM roles and CloudFormation stacks * AWS CLI installed and configured, or access to AWS Console * List of S3 bucket names that e6data needs to access * Required account IDs and External IDs will be provided by e6data {% hint style="info" %} **Note:** External ID, e6data AWS Account ID, and VPC Endpoint ID will be provided directly by e6data. {% endhint %} ### Deployment Parameters | Parameter | Value | Description | | ------------------- | --------------------------------- | ----------------------------------------------------------------- | | **Stack name** | `` | e.g., `e6data-s3-access-prod` | | **BucketNames** | `` | List your buckets, e.g., `bucket1,bucket2` or `*` for all buckets | | **e6dataAccountId** | \ | e6data AWS Account ID (pre-filled) | | **ExternalId** | \ | Security token for cross-account access (pre-filled) | | **VPCEndpointId** | \ | Your VPC Endpoint ID for S3 (pre-filled) | ### Deployment Options #### Option 1: AWS Console (Recommended) 1. **Access CloudFormation Console** * Log in → CloudFormation → **Create stack → With new resources (standard)** 2. **Upload Template** * Select **Upload a template file** → Choose your CloudFormation YAML → Next 3. **Configure Parameters** * Stack name, BucketNames, E6dataAccountId, ExternalId, VPCEndpointId * Click **Next** 4. **Configure Options** (Optional) * Add tags if needed * Leave other settings default → Next 5. **Review & Create** * Acknowledge IAM resources creation * Click **Submit** 6. **Monitor Deployment** * Wait for **CREATE\_COMPLETE** status (2–5 minutes) ### Option 2: AWS CLI 1. **Create Parameters File (`parameters.json`)** ```json [ { "ParameterKey": "BucketNames", "ParameterValue": "bucket1,bucket2,bucket3" }, { "ParameterKey": "E6dataAccountId", "ParameterValue": "" }, { "ParameterKey": "ExternalId", "ParameterValue": "" }, { "ParameterKey": "VPCEndpointId", "ParameterValue": "" } ] ``` 2. **Deploy Stack** ```bash aws cloudformation create-stack \ --stack-name \ --template-body file://.yaml \ --parameters file://parameters.json \ --capabilities CAPABILITY_NAMED_IAM \ --region ``` 3. **Monitor Deployment** ```bash aws cloudformation describe-stacks \ --stack-name \ --query 'Stacks[0].StackStatus' ``` Wait until `CREATE_COMPLETE`. Post-Deployment: Outputs * **RoleArn**: IAM role ARN (e.g., `arn:aws:iam:::role/...`) * **FailedBuckets**: Buckets where policy application failed (should be empty) #### Via CLI ```bash aws cloudformation describe-stacks \ --stack-name \ --query 'Stacks[0].Outputs' ``` ### Info to Send to e6data * CloudFormation Stack Name * IAM Role ARN * AWS Region **Email Template Example:** ``` Subject: e6data CloudFormation Stack Deployment Completed Hi e6data Team, We have successfully deployed the cross-account access CloudFormation stack. Deployment Details: - Stack Name: - IAM Role ARN: - AWS Region: - AWS Account ID: Please proceed with configuring access on your end. Best regards, [Your Name] ``` ### Verification 1. **Verify IAM Role** ```bash aws iam get-role --role-name e6data-cross-account-role-- ``` 2. **Verify Lambda Function** ```bash aws lambda list-functions --query 'Functions[?contains(FunctionName, `ManageBucketPolicies`)]' ``` 3. **Check CloudWatch Logs** ```bash aws logs tail /aws/lambda/ --follow ``` 4. **Verify S3 Bucket Policies** ```bash aws s3api get-bucket-policy --bucket | jq .Policy | jq fromjson ``` ### Troubleshooting * **Insufficient permissions** → Check IAM permissions for CloudFormation, Lambda, S3 * **FailedBuckets not empty** → Bucket policy conflicts, size limits, or cross-region issues * **Lambda timeout** → Increase timeout or deploy in batches * **VPC Endpoint issues** → Verify endpoint is active ### Updating the Stack * Via Console: CloudFormation → Select stack → Update → Modify **BucketNames** → Submit * Via CLI: ```bash aws cloudformation update-stack \ --stack-name \ --use-previous-template \ --parameters ParameterKey=BucketNames,ParameterValue="new-bucket1,new-bucket2" \ ParameterKey=E6dataAccountId,UsePreviousValue=true \ ParameterKey=ExternalId,UsePreviousValue=true \ ParameterKey=VPCEndpointId,UsePreviousValue=true \ --capabilities CAPABILITY_NAMED_IAM ``` ### Deleting the Stack * Removes IAM role, policies, Lambda, VPC endpoint policies * Does **not** delete your S3 buckets or data Via Console: CloudFormation → Select stack → Delete\ Via CLI: ```bash aws cloudformation delete-stack --stack-name ``` ### Security Best Practices 1. Monitor Role usage (CloudTrail, CloudWatch alarms) 2. Regular audits of bucket access 3. Keep External ID secure; rotate periodically 4. Grant access only to necessary buckets **Support** * Template deployment → Check CloudFormation events & CloudWatch logs * e6data platform → Contact support with Stack Name and Role ARN * AWS services → Refer to AWS docs or AWS Support --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.e6data.com/product-documentation/setup/aws-setup/connect-to-e6data-serverless-compute-aws/configuring-secure-access/deployment-guide.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.