Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

When installing Confluence Data Center on AWS, what permissions does the IAM role require?

Trevan Householder_Isos-Tech-Consulting_
Trevan Householder_Isos-Tech-Consulting_
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
April 7, 2017

We need more information on what Confluence expects for these form fields. There is no reference to this web form in the Atlassian docs. 

• What permissions does the IAM role require?
• What gets populated into the Host Header field?
• What values are required for the Tag key and Tag value?
• What needs to be in the security group that is named?

 

Screenshot 2017-04-05 10.58.07.png

Answer
Watch
Like Robert Valentine likes this
2245 views

3 answers

1 accepted

2 votes
Answer accepted
Sky Moore
Sky Moore May 5, 2021

Hi, Sky from Isostech here :) ...

 

In general the Confluence AWS Quick Start Template is a good place to start.  The IAM role is on line 1079, and the security group is on line 1823.

  • What permissions does the IAM role require?
    • In addition to the following permissions, some may be required to realize copying the confluence.cfg.xml from other nodes by whatever method you choose.  I usually use an s3 bucket since it does not depend on other nodes being alive or having any special keys.  The route53 permissions are typically not required as well, but they are in the quick start so I've included them here.
      • autoscaling:DescribeTags
      • autoscaling:CreateOrUpdateTags
      • ec2:CreateTags
      • ec2:DescribeInstances
      • ec2:DescribeTags
      • route53:ListHostedZones
      • route53:ListResourceRecordSet
  • What gets populated into the Host Header field?
    • I have never needed to use this field for a working data center deployment.  If anyone has any information about when and how this is useful please let us know.
  • What values are required for the Tag key and Tag value?
    • This is only used to narrow down the instances that could be Confluence nodes when searching EC2 for other nodes.
  • What needs to be in the security group that is named?
    • Ingress from the load balancer security group to the non-proxied port that is configured in $PROGRAM_DIR/conf/server.xml, this is the same port that you will want to configure as the health check port with a path of '/status'.
    • Ingress from the load balancer security group to 443 and likely port 80 as well, depending on how you've configured your https redirect.
    • The following ports will need to be allowed only between the nodes.
      • 5801 - the Confluence Hazelcast port
      • 5701 - the Synchrony Hazelcast port, if not running a standalone synchrony cluster
      • 25500 - the Synchrony Cluster base port, if not running a standalone synchrony cluster
    • Egress to everywhere will be required in every case I can imagine

 

The only three fields that I typically fill on initial setup are the following:

  • IAM Role
  • Region
  • Security Group Name

When confluence starts it will make a call to AWS metadata for the access credentials of the IAM role.  It will use these credentials to discover the other nodes in EC2.  If your configuration fails for whatever reason and the cluster is not successfully created, you will need to wipe the database and start over.  Editing these values in confluence.cfg.xml and restarting confluence will not work on initial setup.

Reply
0 votes
Robert Valentine
Robert Valentine March 24, 2020

Working on the IAM role now.
according to hazelcast which they use...
https://github.com/hazelcast/hazelcast-aws

Hostheader for me was ec2.amazonaws.com

I believe it searches the instances for all the instances that share the same key/value.

So if you make the key ClusteringID and the value like Confluence1234 it should cluster those together. I'm not sure security group is required... but... I'm still working on mine.

Update:

The security group needs to be shared by all the instances and is required.

View More Comments
gangadhar
gangadhar March 30, 2021

@Trevan Householder_Isos-Tech-Consulting_ @Robert Valentine  @Marcelo Horlle 

I am also trying to use the AWS strategy to auto discover the peer nodes. However, I am unable to create the cluster. I have ensured the hazlecast jar file exist under plugin directory and the IAM role with required permissions (ec2:DescribeInstances). 

 

Error which showed up in UI  doesn't makes sense as I am using only IAM role not both.

Network interface which confluence grabbed not associated with any of the host in AWS. Confluence log has the following error 

[atlassian.confluence.cluster.DefaultClusterConfigurationHelper] getJoinConfig Could not get cluster config from configuration file: The address 'null' is not a valid network address

Screen Shot 2021-03-30 at 2.39.09 PM.pngScreen Shot 2021-03-30 at 2.40.33 PM.pngScreen Shot 2021-03-30 at 2.41.37 PM.png

Like
gangadhar
gangadhar March 30, 2021

Network interface which confluence grabbed not associated with any of the host in AWS. Confluence log has the following error - we are running confluence in container, the ip cluster grabbed is the docker container ip address.

Like
Reply
0 votes
Marcelo Horlle
Marcelo Horlle
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
June 12, 2017

Hey Trevan,

This is not mandatory, since it is very specific to the Amazon environment. Pretty much, an IAM role is similar to a user, in that it is an AWS identity with permission policies that determine what the identity can and cannot do in AWS. You can use roles to delegate access to users, applications, or services that don't normally have access to your AWS resources. For example, you might want to grant users in your AWS account access to resources they don't usually have, or grant users in one AWS account access to resources in another account.

You can find more information about it on the IAM Roles guide in Amazong webpages. I recommend you to only use IAM Roles in case you have it, else, set a secret key to access the Amazon resources and you should be good.

Hope it helps, have a great week ahead!

View More Comments
Lucas Smithbauer
Lucas Smithbauer February 19, 2019

This is not a good answer as it does not address any of the bullet points. I am finding the Confluence Data Center AWS installation resources extremely lacking. Whereas Jira was a breeze.

Like # people like this
Jamie Gaard
Jamie Gaard May 4, 2021

The questions is not what are IAM roles, but what permissions/trust relationships we need to grant to the role to allow confluence node discovery. There aren't any robust AWS-Atlassian docs to help fill in the gap. I am guessing it needs ec2 services, but is there anything else?

Like # people like this
Reply

Suggest an answer

Log in or Sign up to answer
Confluence
Confluence
TAGS
AUG Leaders

Atlassian Community Events

    See all events