Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Deleted user
0 / 0 points
Next:
badges earned

Your Points Tracker
Challenges
Leaderboard
  • Global
  • Feed

Badge for your thoughts?

You're enrolled in our new beta rewards program. Join our group to get the inside scoop and share your feedback.

Join group
Recognition
Give the gift of kudos
You have 0 kudos available to give
Who do you want to recognize?
Why do you want to recognize them?
Kudos
Great job appreciating your peers!
Check back soon to give more kudos.

Past Kudos Given
No kudos given
You haven't given any kudos yet. Share the love above and you'll see it here.

It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

When installing Confluence Data Center on AWS, what permissions does the IAM role require?

We need more information on what Confluence expects for these form fields. There is no reference to this web form in the Atlassian docs. 

• What permissions does the IAM role require?
• What gets populated into the Host Header field?
• What values are required for the Tag key and Tag value?
• What needs to be in the security group that is named?

 

Screenshot 2017-04-05 10.58.07.png

3 answers

1 accepted

2 votes
Answer accepted

Hi, Sky from Isostech here :) ...

 

In general the Confluence AWS Quick Start Template is a good place to start.  The IAM role is on line 1079, and the security group is on line 1823.

  • What permissions does the IAM role require?
    • In addition to the following permissions, some may be required to realize copying the confluence.cfg.xml from other nodes by whatever method you choose.  I usually use an s3 bucket since it does not depend on other nodes being alive or having any special keys.  The route53 permissions are typically not required as well, but they are in the quick start so I've included them here.
      • autoscaling:DescribeTags
      • autoscaling:CreateOrUpdateTags
      • ec2:CreateTags
      • ec2:DescribeInstances
      • ec2:DescribeTags
      • route53:ListHostedZones
      • route53:ListResourceRecordSet
  • What gets populated into the Host Header field?
    • I have never needed to use this field for a working data center deployment.  If anyone has any information about when and how this is useful please let us know.
  • What values are required for the Tag key and Tag value?
    • This is only used to narrow down the instances that could be Confluence nodes when searching EC2 for other nodes.
  • What needs to be in the security group that is named?
    • Ingress from the load balancer security group to the non-proxied port that is configured in $PROGRAM_DIR/conf/server.xml, this is the same port that you will want to configure as the health check port with a path of '/status'.
    • Ingress from the load balancer security group to 443 and likely port 80 as well, depending on how you've configured your https redirect.
    • The following ports will need to be allowed only between the nodes.
      • 5801 - the Confluence Hazelcast port
      • 5701 - the Synchrony Hazelcast port, if not running a standalone synchrony cluster
      • 25500 - the Synchrony Cluster base port, if not running a standalone synchrony cluster
    • Egress to everywhere will be required in every case I can imagine

 

The only three fields that I typically fill on initial setup are the following:

  • IAM Role
  • Region
  • Security Group Name

When confluence starts it will make a call to AWS metadata for the access credentials of the IAM role.  It will use these credentials to discover the other nodes in EC2.  If your configuration fails for whatever reason and the cluster is not successfully created, you will need to wipe the database and start over.  Editing these values in confluence.cfg.xml and restarting confluence will not work on initial setup.

0 votes

Hey Trevan,

This is not mandatory, since it is very specific to the Amazon environment. Pretty much, an IAM role is similar to a user, in that it is an AWS identity with permission policies that determine what the identity can and cannot do in AWS. You can use roles to delegate access to users, applications, or services that don't normally have access to your AWS resources. For example, you might want to grant users in your AWS account access to resources they don't usually have, or grant users in one AWS account access to resources in another account.

You can find more information about it on the IAM Roles guide in Amazong webpages. I recommend you to only use IAM Roles in case you have it, else, set a secret key to access the Amazon resources and you should be good.

Hope it helps, have a great week ahead!

This is not a good answer as it does not address any of the bullet points. I am finding the Confluence Data Center AWS installation resources extremely lacking. Whereas Jira was a breeze.

Like # people like this

The questions is not what are IAM roles, but what permissions/trust relationships we need to grant to the role to allow confluence node discovery. There aren't any robust AWS-Atlassian docs to help fill in the gap. I am guessing it needs ec2 services, but is there anything else?

Like # people like this

Working on the IAM role now.
according to hazelcast which they use...
https://github.com/hazelcast/hazelcast-aws

Hostheader for me was ec2.amazonaws.com

I believe it searches the instances for all the instances that share the same key/value.

So if you make the key ClusteringID and the value like Confluence1234 it should cluster those together. I'm not sure security group is required... but... I'm still working on mine.

Update:

The security group needs to be shared by all the instances and is required.

gangadhar I'm New Here Mar 30, 2021

@Trevan Householder @Robert Valentine  @Marcelo Horlle 

I am also trying to use the AWS strategy to auto discover the peer nodes. However, I am unable to create the cluster. I have ensured the hazlecast jar file exist under plugin directory and the IAM role with required permissions (ec2:DescribeInstances). 

 

Error which showed up in UI  doesn't makes sense as I am using only IAM role not both.

Network interface which confluence grabbed not associated with any of the host in AWS. Confluence log has the following error 

[atlassian.confluence.cluster.DefaultClusterConfigurationHelper] getJoinConfig Could not get cluster config from configuration file: The address 'null' is not a valid network address

Screen Shot 2021-03-30 at 2.39.09 PM.pngScreen Shot 2021-03-30 at 2.40.33 PM.pngScreen Shot 2021-03-30 at 2.41.37 PM.png

gangadhar I'm New Here Mar 30, 2021

Network interface which confluence grabbed not associated with any of the host in AWS. Confluence log has the following error - we are running confluence in container, the ip cluster grabbed is the docker container ip address.

Suggest an answer

Log in or Sign up to answer
TAGS
Community showcase
Published in Confluence

🥓🙅🏻‍♀️ Meet-less May Badge!

Hello Confluence Community!  What if i told you that you could have a healthier life and be 100% meet-less? This month, we're promoting a healthy, balanced work diet with Confluence. (Read m...

530 views 3 23
Read article

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you