Manual Install (No IAM Users)

Install Saturn Cloud Enterprise without IAM users (only IAM roles) by using a Docker container to install.

Below are the steps to automatically install Saturn Cloud Enterprise via a Docker image. Note that if possible we recommend installing it automatically via the AWS Marketplace instead.

This installer has steps for customizing the IAM roles that the backend and users run on Saturn Cloud, and does not require any IAM users. This is different than our other installation methods, which use a IAM user for permissions. If you do not want to customize the IAM roles and resources being used by Saturn Cloud, see our simpler manual installation instructions which skip those steps.

In order to follow these instructions, you will need a computing environment to run the commands.The computing environment must have: 1. Console access to your AWS account. 2. A bash-compatible shell to run the AWS commands. 3. Permission in your AWS account to create IAM roles and/or permission to create CloudFormation stacks.

1. Sign up for Saturn Cloud

Visit the Saturn Cloud Installation Manager to register your company with Saturn Cloud. This lets us know on our side that you are setting up our product. After giving us your information, the Installation Manager will direct you to the AWS Marketplace where you can a Saturn Cloud Enterprise subscription your existing AWS account.

Screenshot of signup in AWS Marketplace for Saturn Cloud

2. Create the installation IAM role

Our installer needs an IAM role in order to provision resources into your AWS account, and provide customer support and product updates.

The role created by our cloud formation stack will create a trust relationship to our account. If you are running the installer yourself or if you have security concerns then you can modify the trust relationship to point to your account.

In AWS Console, navigate to the CloudFormation section. Click the "Create Stack" button. From the dropdown, choose the standard option ("With new resources").

Screenshot of AWS Console showing CloudFormation panel, with Create Stack button centered

On the next screen, choose "Template is ready" option in the "Prepare template" section. For the template, use the URL: `https://s3.us-east-2.amazonaws.com/saturn-cf-templates/iam-role.cft`

Click Next.

Screenshot of AWS Console showing Create Stack form

On the next screen, give the stack a name of your choice (for example, "Saturn Cloud Access"). The external ID can be found on the installer page. Click "Next"

Screenshot of AWS Console showing Create Stack form, with Stack Name and Parameters shown

On the next screen, all fields are optional. Proceed to the next page when you have configured these items as desired.

Screenshot of AWS Console showing Configure Stack Options

Review all values on the next page - step back and making corrections if needed. When you're ready to create the stack, check the checkbox next to "I acknowledge that AWS CloudFormation might create IAM resources with custom names." Then, click on the "Create stack" button.

Screenshot of AWS Console showing warning displayed before Create Stack can be selected

Once stack creation is complete, you need to provide the ARN for the created role to the installer in order to continue with the deployment. You may find this info on the "Outputs" tab in the AWS console. The ARN is the string that starts with "arn:aws:iam" in the "Value" column, as shown below.

3. Create IAM roles for users of Saturn Cloud

Our standard installation process creates a single IAM user which the Saturn UI uses to interact with AWS. Instead of using this, you can create an OIDC provider which can associate IAM roles with EKS pods and replaces all IAM users with IAM roles. This allows different users within Saturn Cloud to have different IAM roles for accessing resources. This step is not required, however if you choose not to do it

Saturn Cloud requires specific IAM resources to operate that need to be set up. This includes:

  • An IAM role and IAM policies for the EKS cluster.
  • An IAM role, an instance profile and IAM policies for the EKS worker nodes.
  • An IAM role for the saturn application.
Most customers who are interested in using specific IAM roles have precise requirements for provisioning IAM resource. We've provided a sample terraform to use as a starting point to customize. You can also create equivalent IAM resources in the console, or however else you manage your AWS resources.

The sample terraform creates an IAM role for the Saturn Cloud application. The assume-role policy for that role has some placeholder values, which we will alter once the OIDC provider has been created. If you do use this terraform, you must replace {orgname} in the following with your orgname.

Note that there is no requirement for where to run the Terraform script from. If you need a machine to use, you can wait to create the IAM roles to run Saturn Cloud until after you've completed step 3 and made an EC2 instance to use.

Once the roles are created, they will be used in a later step.

4. Create your installation configuration

The Saturn Cloud installation need a configuration specific to your organization. The easiest way to create it is to contact [support@saturncloud.io](mailto:support@saturncloud.io). We will help you generate your installation configuration. It will look something like this:

org_name: ...
region: ...
aws_account_id: ...
private_subnets:
- ...
public_subnets:
- ...
worker_subnets:
- ...
enable_irsa: true
Save this file as config.yaml--we'll use it in the next step.

5. Run the installer to setup AWS resources

Execute the following to retrieve credentials for the role.

aws sts assume-role --role-arn ${your-role-arn} --role-session-name debug --external-id ${your-external-id} --duration-seconds 3600 --query Credentials

This command will return something like this:

{
    "AccessKeyId": "your-access-key",
    "SecretAccessKey": "your-secret",
    "SessionToken": "your-token",
    "Expiration": "2022-06-23T15:17:55Z"
}

Create a file in the same directory as config.yaml named installer-vars where we will store these temporary AWS credentials.

AWS_DEFAULT_REGION=${your-region}
AWS_ACCESS_KEY_ID=${your-access-key}
AWS_SECRET_ACCESS_KEY=${your-secret}
AWS_SESSION_TOKEN=${your-token}

Set the following environment variables. You will need use the values from the previous step.

export INSTALLER_IMAGE=saturncloud/saturn-aws:2022.05.01-40
export DATA_DIR=`pwd`

Now we will start a bash shell inside the installer container.

docker run --rm -it -v ${DATA_DIR}:/sdata --env-file installer-vars ${INSTALLER_IMAGE} bash

The rest of the install commands must take place inside this shell.

You can now provision the EKS cluster and the ACM certificate using the following command:

saturn-aws install --skip-k8s

This will take some time - typically 15-45 minutes. If you encounter errors, contact us and we will help debug. The last step - associating the OIDC provider can take up to 30 minutes.

6. Modify the assume-role policy for the saturn UI IAM role

The sample terraform script created an IAM role with placeholder values following an assume role policy:

{
    "Version": "2012-10-17",
    "Statement": [
      {
        "Effect": "Allow",
        "Principal": {
          "Federated": "arn:aws:iam::ACCOUNT_ID:oidc-provider/OIDC_PROVIDER"
        },
        "Action": "sts:AssumeRoleWithWebIdentity",
        "Condition": {
          "StringEquals": {
            "OIDC_PROVIDER:sub": "system:serviceaccount:saturn:saturnadmin"
          }
        }
      }
    ]
  }
  

You should update the role so to replace ACCOUNT_ID with your AWS ACCOUNT ID, and replace OIDC_PROVIDER with the output of:

aws eks describe-cluster --name saturn-cluster-{orgname} --query "cluster.identity.oidc.issuer" --output text | sed -e "s/^https:\/\///"

7. Run the installer to setup k8s resources

Finally, we need to set up the Kubernetes cluster for Saturn Cloud. Run the following command from the installation EC2 instance

saturn-aws install-k8s

You may stop your installation EC2 instance, but do not terminate it. You can use this instance in the future for updates. Please backup a copy of the config.yaml file

At this point the installation of Saturn Cloud Enterprise should be complete. Please backup a copy of the config.yaml file. You will recieve an email with details of your Saturn Cloud Enterprise installation. You will be able to access your saturn cloud account at https://app.{orgname}.saturnenterprise.io, where {orgname} depends on the organization name used when signing up for Saturn Cloud. After installing we recommend you have data scientists try it out, and reach out to us to schedule a demo.