Install Env from Marketplace
Refer to Overview▸, using AutoMQ Cloud requires an environment setup first. This article explains how to install the BYOC environment from the AWS Marketplace.
In this article, references to AutoMQ product services, AutoMQ services, and AutoMQ specifically refer to AutoMQ HK Limited and its affiliates.
Prerequisites
Condition 1: Cloud Account Operation Permissions
To create a BYOC environment, the operating cloud account must be the primary account or an IAM sub-account with the necessary operation permissions. If you are currently using an IAM sub-account on the AWS console, authorization must be granted before proceeding with service activation.
- Use AWS Managed Policies for Authorization
- Using Custom Policies for Authorization
Typically, you can grant the following AWS managed policies to an IAM sub-account to proceed with subsequent deployment and installation:
AmazonVPCFullAccess: Permissions to manage Virtual Private Cloud (VPC).
AmazonEC2FullAccess: Full access to manage EC2 products.
AmazonS3FullAccess: Full access to manage object storage S3.
AmazonRoute53FullAccess: Full access to manage the Route 53 service.
If you prefer not to use the AWS-managed policies and want more granular control over permissions, you can refer to the authorization policy content below to create custom policies and assign them to the appropriate user accounts or roles.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:CreateBucket",
"s3:PutBucketTagging",
"s3:DeleteBucket"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:DeleteObject",
"s3:DeleteObjectVersion"
],
"Resource": "arn:aws:s3:::*/*"
},
{
"Effect": "Allow",
"Action": [
"ec2:DeleteVpcEndpoints",
"ec2:RevokeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress",
"ec2:DeleteSecurityGroup",
"ec2:DeleteRoute",
"ec2:DeleteRouteTable",
"ec2:DeleteSubnet",
"ec2:DeleteInternetGateway",
"ec2:DetachInternetGateway",
"ec2:DisassociateRouteTable"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/automqVendor": "automq"
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateVpc",
"ec2:CreateTags",
"ec2:CreateRouteTable",
"ec2:CreateSubnet",
"ec2:CreateInternetGateway",
"ec2:RunInstances",
"ec2:AssociateRouteTable",
"ec2:AttachInternetGateway",
"ec2:DescribeAddresses",
"ec2:DescribeAddressesAttribute",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeImages",
"ec2:DescribeInstanceCreditSpecifications",
"ec2:DescribeInstanceTypes",
"ec2:DescribeInstances",
"ec2:DescribeInternetGateways",
"ec2:DescribeNetworkAcls",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribePrefixLists",
"ec2:DescribeRouteTables",
"ec2:DescribeSecurityGroupRules",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeTags",
"ec2:DescribeVolumes",
"ec2:DescribeVpcEndpoints",
"ec2:DescribeVpcs",
"sts:GetCallerIdentity",
"ssm:GetParameter",
"ec2:DescribeVpcAttribute",
"ec2:ModifyVpcAttribute",
"route53:AssociateVPCWithHostedZone",
"route53:ListResourceRecordSets",
"route53:ListTagsForResource",
"route53:GetChange",
"route53:DeleteHostedZone",
"route53:GetHostedZone",
"ec2:DisassociateAddress",
"ec2:AssociateAddress",
"ec2:DescribeInstanceAttribute",
"ec2:ModifyInstanceAttribute",
"ec2:TerminateInstances",
"ec2:AllocateAddress",
"ec2:ReleaseAddress",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"route53:ChangeTagsForResource",
"ec2:CreateRoute",
"route53:CreateHostedZone",
"ec2:CreateSecurityGroup",
"ec2:DeleteNetworkAclEntry",
"ec2:CreateNetworkAclEntry",
"ec2:CreateVpcEndpoint",
"s3:ListBucket",
"ec2:DeleteVpc"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"iam:CreateRole",
"iam:TagRole",
"iam:TagPolicy",
"iam:CreatePolicy"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:RequestTag/automqVendor": "automq"
}
}
},
{
"Effect": "Allow",
"Action": [
"iam:AttachRolePolicy",
"iam:GetRole",
"iam:ListAttachedRolePolicies",
"iam:ListInstanceProfilesForRole",
"iam:ListRolePolicies",
"iam:PassRole",
"iam:AddRoleToInstanceProfile",
"iam:GetInstanceProfile",
"iam:GetPolicy",
"iam:GetPolicyVersion",
"iam:ListPolicyVersions",
"iam:CreateInstanceProfile",
"iam:TagInstanceProfile"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"iam:DeleteInstanceProfile",
"iam:RemoveRoleFromInstanceProfile",
"iam:DeletePolicy",
"iam:DeleteRole",
"iam:DetachRolePolicy"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/automqVendor": "automq"
}
}
}
]
}
Condition Two: Prepare VPC
The AutoMQ BYOC environment is deployed within the user's VPC to ensure data privacy and security. When installing the AutoMQ environment from AWS Marketplace, the following two methods are supported:
Automatically create a new VPC installation environment: Select this option to have Marketplace CloudFormation automatically create the VPC and other resources, eliminating the need for manual configuration. This is recommended for initial POCs and testing.
VPC Environment Provided by User: Marketplace will not proactively create a VPC network; users must specify an existing VPC network.
If you choose User-provided VPC for installation, you must refer to Prepare VPC▸ to prepare the VPC network and ensure it meets AutoMQ's requirements. Otherwise, the installation will fail.
Procedure
Step 1: Subscribe to AutoMQ from the Marketplace
The AutoMQ Cloud BYOC environment installation package is distributed on AWS via Marketplace CloudFormation products. Users can subscribe to AutoMQ from the Marketplace, and the product link is AutoMQ for Kafka (BYOC FreeTier).
Go to AWS Marketplace and visit the product page AutoMQ for Kafka (BYOC FreeTier).
Click Continue to Subscribe. If this is your first visit, please confirm the user agreement.
Select the CloudFormation Template configuration, and fill out the form as prompted.
Step 2: Install the Environment Using the CloudFormation Template
In the previous step, after selecting the CloudFormation Template configuration, you will be redirected to the CloudFormation product page to create a new Stack.
Follow the prompts to fill in the parameters and continue configuring to start the creation process.
Parameter Settings | Value Description |
---|---|
Stack Name |
|
ExistingVPCId |
|
ExistingPublicSubnetId |
|
ExistingPubliceSubnetAvailabilityZone |
|
MsgBucket |
|
OpsBucket |
|
WebConsoleInstanceType |
|
SecurityGroupCIDR |
|
KeyName |
|
Step 3: Retrieve CloudFormation Outputs and Access the Environment
After completing the previous installation, check the current CloudFormation Outputs to retrieve initial information for accessing the environment.
Output Returns | Output Description |
---|---|
AutoMQWebConsoleURL |
|
DefaultUserName |
|
DefaultPassword |
|
Step 4: Complete BYOC Environment Ops Authorization
BYOC environments are deployed in the user's VPC, providing data security and privacy isolation. However, system logs, metrics, and other non-business-related system data will be generated within the BYOC environment. After the environment is installed, users need to refer to Manage Environment Ops Authing▸ to provide the necessary operational authorization for AutoMQ services, enabling system stability monitoring and self-healing operations.
Next Steps
After the environment installation is complete, you can access and use the environment. AutoMQ supports the following two methods:
Using AutoMQ via WebUI: Access the console address returned in step 3 through your browser, enter the initial username and password to access the environment console, create instances, and experience the product features. Experience AutoMQ for Kafka▸
Using AutoMQ with Terraform:
Appendix
- For the list and description of installed cloud resources, see Cloud Resource List▸