Install Env from Marketplace
Refer to Overview▸, using AutoMQ Cloud requires setting up the environment first. This article explains how to install the BYOC environment from the AWS Marketplace.
In this article, references to AutoMQ product services, AutoMQ services, and AutoMQ specifically refer to AutoMQ HK Limited and its affiliates.
Prerequisites
Condition 1: Cloud Account Operation Permissions
To create a BYOC environment, the operating cloud account must be the primary account or an IAM sub-account with the necessary operation permissions. If you are currently using an IAM sub-account on the AWS console, authorization must be granted before proceeding with service activation.
- Use AWS Managed Policies for Authorization
- Using Custom Policies for Authorization
Typically, you can grant the following AWS managed policies to an IAM sub-account to proceed with subsequent deployment and installation:
AmazonVPCFullAccess: Permissions to manage Virtual Private Cloud (VPC).
AmazonEC2FullAccess: Full access to manage EC2 products.
AmazonS3FullAccess: Full access to manage object storage S3.
AmazonRoute53FullAccess: Full access to manage the Route 53 service.
If you prefer not to use the AWS-managed policies and want more granular control over permissions, you can refer to the authorization policy content below to create custom policies and assign them to the appropriate user accounts or roles.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:CreateBucket",
"s3:PutBucketTagging",
"s3:DeleteBucket"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:DeleteObject",
"s3:DeleteObjectVersion"
],
"Resource": "arn:aws:s3:::*/*"
},
{
"Effect": "Allow",
"Action": [
"ec2:DeleteVpcEndpoints",
"ec2:RevokeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress",
"ec2:DeleteSecurityGroup",
"ec2:DeleteRoute",
"ec2:DeleteRouteTable",
"ec2:DeleteSubnet",
"ec2:DeleteInternetGateway",
"ec2:DetachInternetGateway",
"ec2:DisassociateRouteTable"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/automqVendor": "automq"
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateVpc",
"ec2:CreateTags",
"ec2:CreateRouteTable",
"ec2:CreateSubnet",
"ec2:CreateInternetGateway",
"ec2:RunInstances",
"ec2:AssociateRouteTable",
"ec2:AttachInternetGateway",
"ec2:DescribeAddresses",
"ec2:DescribeAddressesAttribute",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeImages",
"ec2:DescribeInstanceCreditSpecifications",
"ec2:DescribeInstanceTypes",
"ec2:DescribeInstances",
"ec2:DescribeInternetGateways",
"ec2:DescribeNetworkAcls",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribePrefixLists",
"ec2:DescribeRouteTables",
"ec2:DescribeSecurityGroupRules",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeTags",
"ec2:DescribeVolumes",
"ec2:DescribeVpcEndpoints",
"ec2:DescribeVpcs",
"sts:GetCallerIdentity",
"ssm:GetParameter",
"ec2:DescribeVpcAttribute",
"ec2:ModifyVpcAttribute",
"route53:AssociateVPCWithHostedZone",
"route53:ListResourceRecordSets",
"route53:ListTagsForResource",
"route53:GetChange",
"route53:DeleteHostedZone",
"route53:GetHostedZone",
"ec2:DisassociateAddress",
"ec2:AssociateAddress",
"ec2:DescribeInstanceAttribute",
"ec2:ModifyInstanceAttribute",
"ec2:TerminateInstances",
"ec2:AllocateAddress",
"ec2:ReleaseAddress",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"route53:ChangeTagsForResource",
"ec2:CreateRoute",
"route53:CreateHostedZone",
"ec2:CreateSecurityGroup",
"ec2:DeleteNetworkAclEntry",
"ec2:CreateNetworkAclEntry",
"ec2:CreateVpcEndpoint",
"s3:ListBucket",
"ec2:DeleteVpc"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"iam:CreateRole",
"iam:TagRole",
"iam:TagPolicy",
"iam:CreatePolicy"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:RequestTag/automqVendor": "automq"
}
}
},
{
"Effect": "Allow",
"Action": [
"iam:AttachRolePolicy",
"iam:GetRole",
"iam:ListAttachedRolePolicies",
"iam:ListInstanceProfilesForRole",
"iam:ListRolePolicies",
"iam:PassRole",
"iam:AddRoleToInstanceProfile",
"iam:GetInstanceProfile",
"iam:GetPolicy",
"iam:GetPolicyVersion",
"iam:ListPolicyVersions",
"iam:CreateInstanceProfile",
"iam:TagInstanceProfile"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"iam:DeleteInstanceProfile",
"iam:RemoveRoleFromInstanceProfile",
"iam:DeletePolicy",
"iam:DeleteRole",
"iam:DetachRolePolicy"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/automqVendor": "automq"
}
}
}
]
}
Condition Two: Prepare VPC
The AutoMQ BYOC environment is deployed within the user's VPC to ensure data privacy and security. When installing the AutoMQ environment from AWS Marketplace, the following two methods are supported:
Automatically create a new VPC installation environment: Select this option to have Marketplace CloudFormation automatically create the VPC and other resources, eliminating the need for manual configuration. This is recommended for initial POCs and testing.
VPC Environment Provided by User: Marketplace will not proactively create a VPC network; users must specify an existing VPC network.
If you choose to install the environment with a user-provided VPC, you must refer to Prepare VPC▸ to prepare the VPC network and ensure it meets AutoMQ's requirements. Failure to do so may result in installation failure.
Procedure
Step 1: Subscribe to AutoMQ from the Marketplace
The AutoMQ Cloud BYOC environment installation package is distributed on AWS via Marketplace CloudFormation products. Users can subscribe to AutoMQ from the Marketplace, and the product link is AutoMQ for Kafka (BYOC FreeTier).
Go to AWS Marketplace and visit the product page AutoMQ for Kafka (BYOC FreeTier).
Click Continue to Subscribe. If this is your first visit, please confirm the user agreement.
Select the CloudFormation Template configuration, and fill out the form as prompted.
Step 2: Install the Environment Using the CloudFormation Template
In the previous step, after selecting the CloudFormation Template configuration, you will be redirected to the CloudFormation product page to create a new Stack.
Follow the prompts to fill in the parameters and continue configuring to start the creation process.
Parameter Settings | Value Description |
---|---|
Stack Name |
|
ExistingVPCId |
|
ExistingPublicSubnetId |
|
ExistingPubliceSubnetAvailabilityZone |
|
MsgBucket |
|
OpsBucket |
|
WebConsoleInstanceType |
|
SecurityGroupCIDR |
|
KeyName |
|
Step 3: Retrieve CloudFormation Outputs and Access the Environment
After completing the previous installation, check the current CloudFormation Outputs to retrieve initial information for accessing the environment.
Output Returns | Output Description |
---|---|
AutoMQWebConsoleURL |
|
DefaultUserName |
|
DefaultPassword |
|
Step 4: Complete BYOC Environment Ops Authorization
The BYOC environment is deployed within the user's VPC, providing data security and privacy isolation. However, system logs, metrics, and other non-business-related system data will be generated within the BYOC environment. After the environment installation is complete, users need to refer to Manage Environment Ops Authing▸ to provide the necessary operational authorization to the AutoMQ service provider, enabling them to perform system stability monitoring and self-healing maintenance operations.
Next Steps
After the environment installation is complete, you can access and use the environment. AutoMQ supports the following two methods:
Using AutoMQ via WebUI: Access the console address returned in step 3 via a browser, enter the initial username and password, and you can enter the environment console to create instances and experience product features. Experience AutoMQ for Kafka▸
Using AutoMQ with Terraform:
Appendix
- The list of installed cloud resources and descriptions can be found at Cloud Resource List▸