Skip to main content

Prerequisites

Before you start, ensure you have an IAM role in your AWS that permits you to create CloudFormation Templates. Latch utilizes CloudFormation Templates to establish an IAM role that provisions AWS Resources to create a forch domain

Instructions

Connecting an AWS Account

1

Go to this link

2

Log into the AWS account

3

You will be directed to an AWS CloudFormation 'Quick create stack' template.

When you open the CloudFormation template, you’ll see an acknowledgment stating “The following resource(s) require capabilities: [AWS::IAM::Role]. I acknowledge that AWS CloudFormation might create IAM resources with custom names.” This pertains to you as the customer executing the CloudFormation stack. The stack creates a role that has permission to provision cloud resources, AWS ensures that you are aware of this action. The permissions of this role which can be verified by inspecting the cloudformation template in the AWS UI.Refer to [Advanced Notes](#Advanced Notes) for an overview of the permission this IAM role.
4

Click on the checkbox to acknowledge that this stack will create an iam role.

5

Click 'Create Stack' and wait for it to be created.

6

Notify someone at Latch with the following details.

  • AWS Account Id
  • Target AWS Region for this deployment (us-west-2, eu-central-1, etc)

Architecture

Please refer to this blog post for an overview of Forch’s architecture

IAM

Each forch domain requires a minimum of 4 IAM role to operate:
  1. forch-agent for provisioning cloud resources to setup the forch-domain
  2. forch-orchestrator for scheduling and managing tasks in the forch-domain
  3. forch-node for running the tasks in an compute instances the forch-domain
  4. forch-nat-* for running NAT instance in the forch-domain (1 per vpc)

forch-agent

forch-agent is created by the Cloudformation Stack from previous section. This role is used when provisioning cloud resources to setup the forch domain. The list of cloud resources created are as follows:
  1. Network resource including vpcs, subnets, internet gateways, security groups, network acls, route tables and elastic ip addresses
  2. An S3 Bucket for storing logs
  3. forch-orchestrator, forch-node and forch-nat-* roles and their policies
  4. A KMS key for encrypting and decrypting volumes created by forch
  5. An ec2 instance running the NAT server on the vpc
  6. Forch specific secrets
This role can be safely deleted once the setup of the forch-domain is complete.
RulesPurpose
s3:CreateBucket, s3:ListBucket*, s3:GetBucket*, s3:GetAccelerateConfiguration, s3:GetLifecycleConfiguration, s3:GetReplicationConfiguration, s3:GetEncryptionConfiguration, s3:PutBucketCORS, s3:PutBucketVersioning, s3:PutEncryptionConfiguration, s3:PutBucketRequestPaymentRetrieve the bucket metadata and configuration, compare it against the desired state, and apply any necessary updates to the S3 bucket arn:aws:s3:::forch-${AWS::AccountId}
iam:CreateRole, iam:GetRole, iam:DeleteRole, iam:PutRolePolicy, iam:AttachRolePolicyRetrieve configurations, compare it against the desired state, and apply any necessary updates to the IAM roles: arn:aws:iam::*:role/forch-orchestrator, arn:aws:iam::*:role/forch-node, arn:aws:iam::*:role/forch-nat-*, arn:aws:iam::*:role/forch-agent
iam:CreateServiceLinkedRoleCreate a service-linked role for the forch-agent linked service to AWS KMS
iam:PassRoleAllows forch-agent to pass the forch-nat or forch-node role when launching NAT, SSH Forwarder and Pod Router instances
iam:CreatePolicy, iam:GetPolicy, iam:DeletePolicy, iam:CreatePolicyVersionRetrieve configuration, compare it against the desired state, and apply any necessary updates to the IAM roles: arn:aws:iam::*:policy/forch-orchestrator-base, arn:aws:iam::*:policy/forch-node-base, arn:aws:iam::*:policy/forch-agent-delete-permissions
iam:CreateInstanceProfile, iam:DeleteInstanceProfile, iam:AddRoleToInstanceProfileCreate and manage instance profiles: arn:aws:iam::*:instance-profile/forch-nat-*, arn:aws:iam::*:instance-profile/forch-node
ec2:CreateTagsTag ec2 resources created by forch-agent
ec2:CreateKeyPair, ec2:DeleteKeyPair, ec2:ImportKeyPair, ec2:DescribeKeyPairsCreate, import and manage a specific SSH key pair for access to forch-created instances
ec2:CreateVpc, ec2:DescribeVpcs, ec2:DescribeVpcAttribute, ec2:CreateInternetGateway, ec2:AttachInternetGateway, ec2:DescribeInternetGateways, ec2:CreateSecurityGroup, ec2:AuthorizeSecurityGroupIngress/Egress, ec2:RevokeSecurityGroupIngress/Egress, ec2:DescribeSecurityGroups, ec2:DescribeSecurityGroupRules, ec2:CreateSubnet, ec2:DescribeSubnets, ec2:ModifySubnetAttribute, ec2:CreateRouteTable, ec2:CreateRoute, ec2:DescribeRouteTables, ec2:CreateNetworkAcl, ec2:DeleteNetworkAclEntry, ec2:CreateNetworkAclEntry, ec2:ReplaceNetworkAclAssociationRetrieve the configuration of the Forch VPC and its associated network resources, compare it to the desired state, and apply any necessary updates
ec2:AllocateAddress, ec2:AssociateAddress, ec2:DescribeAddresses, ec2:DescribeAddressesAttributeProvision Elastic IP address for NAT instance, SSH Forwarder and Pod Router instance and associate them to the appropriate instances
ec2:DescribeImagesRetrieve information about Latch-owned Forch ami image
ec2:RunInstances, ec2:DescribeInstances, ec2:DescribeVolumes, ec2:DescribeAvailabilityZonesRetrieve information about the NAT, SSH Forwarder and Pod Router instance and launch them if not present. Instance must be launched with the forch-node instance profile, use the Latch-owned forch ami image and launched only with forch created ebs volumes
ssm:GetParametersAllows retrieving parameters (configuration data, environment variables, etc.) from AWS Systems Manager Parameter Store. Note: Required by AWS for ec2:RunInstances
secretsmanager:CreateSecret, secretsmanager:PutSecretValue, secretsmanager:DeleteSecretCreate and manage the forch-nat JWT token, and ssh forwarder private keys
kms:CreateKey, kms:PutKeyPolicy, kms:EnableKeyRotation, kms:CreateAliasCreate and manage the forch-volume key used to encrypt / decrypt forch created EBS volumes
kms:Encrypt, kms:Decrypt, kms:GenerateDataKey*, kms:CreateGrantAllows usage of KMS keys to decrypt EBS volumes and AMIs when launching instances

forch-orchestrator

forch-orchestrator is assumed at runtime to schedule and manage tasks. It has permissions to:
  1. Run and Terminate ec2 instances on forch created vpc
  2. Assign Private IP Addresses to ec2 instances
  3. Create, Modify, Detach, Attach and Delete volumes
  4. Describe, Associate and Disassociate forch created elastic ip addresses
  5. Use KMS Keys to decrypt volumes
  6. Get and List objects in the S3 bucket storing logs
RulesPurpose
ec2:RunInstancesAllows launching EC2 instances in the Forch VPC. Instance must be launched with the forch-node instance profile, use the Latch-owned forch ami image and launched only with forch created ebs volumes
iam:PassRoleAllows the orchestrator to pass the forch-node IAM role to an EC2 instance upon creation, granting the instance its required permissions
ssm:GetParametersAllows retrieving parameters (configuration data, environment variables, etc.) from AWS Systems Manager Parameter Store. Note: Required by AWS for ec2:RunInstances
ec2:TerminateInstancesAllows terminating EC2 instances that are tagged Created By: Forch
ec2:AssignPrivateIpAddresses, ec2:AssignIpv6AddressesAssign private IPv4 and public IPv6 addresses to instances within the Forch VPC
ec2:DescribeNetworkInterfacesRetrieve details of network interfaces attached to forch created instance to manage IP addresses
ec2:DescribeInstances, ec2:DescribeInstanceStatusTo retrieve details and poll status of instances
ec2:ModifyVolume, ec2:DetachVolume, ec2:CreateVolume, ec2:DeleteVolume, ec2:AttachVolumeTo manage EBS volumes created by forch orchestrator
ec2:DetachVolume, ec2:AttachVolumeAllows attaching/detaching volumes to/from instances using the forch-node Instance Profile AND is tagged Created By: Forch
ec2:DescribeVolumesModifications, ec2:DescribeVolumesRetrieve details of EBS volumes and storage device resize operations
ec2:DisassociateAddress, ec2:AssociateAddressAttach / Detach Elastic IPs to instances in the Forch VPC
ec2:DescribeAddressesAllows retrieving details of all Elastic IP addresses in the account
ec2:CreateTagsTag ec2 instances created by forch orchestrator
s3:GetObjectRetrieve logs from the log storage s3 bucket
s3:ListBucketList the contents of the log storage S3 bucket
sts:AssumeRoleAllows the forch orchestrator to assume another IAM role in the AWS account
secretsmanager:UpdateSecret, secretsmanager:CreateSecretCreate and update secrets tagged with forch/allow: true
kms:ReEncrypt*, kms:GenerateDataKey*, kms:Encrypt, kms:DescribeKey, kms:Decrypt, kms:CreateGrantAllows usage of KMS keys to decrypt EBS volumes and AMIs when launching instances

forch-node

forch-node role has permission to get the task secrets from secretsmanager, read and write logs to the s3 bucket and also assume the forch-node-shared role to get access to ecr images and secrets from Latch’s aws account. This role’s can only be assumed by roles within the forch domains’ cloud account.
RulesPurpose
s3:PutObject, s3:GetObjectStore log files to the S3 bucket. Retrieve files for log verification or log rotation
s3:ListBucketList the bucket contents to check for the existence of the logs folder, manage file rotation, or check the state of previously uploaded batches of logs
ec2:DescribeAddressesRetrieve information about EC2 Elastic IP addresses attached to the instance to configure networking
sts:AssumeRoleUsed to assume the IAM role forch-node-shared to get access to resources in Latch’s AWS Account (ECR images, secrets)
secretsmanager:GetSecretValueRetrieve secrets tagged with forch/allow: true
secretsmanager:BatchGetSecretValueAllows retrieving multiple secrets at once

forch-nat-*

forch-nat-* role is a superset of forch-node. It has additional permissions to get the nat-jwt-* JWT token from secretsmanager to perform database authentication
RulesPurpose
secretsmanager:GetSecretValueRetrieve JWT token to authenticate with Latch’s database