My AWS account has no external internet access

Advanced configuration options for those who need complete security.

Overview

This page describes how to perform a manual installation of Saturn Cloud into your own AWS account. The instructions below assume a bash-compatible shell is in use.

Preparation

In order to follow these instructions, you will need the following:

  1. Console access to your AWS account.
  2. Permission in your AWS account to create IAM roles and/or permission to create CloudFormation stacks.
  3. A place to run Docker containers from (either an SSH session to a machine with docker access, or docker running locally) that has a persistent disk. This location must have network access to the VPC you plan to install Saturn into
  4. a VPC with 2 subnets. We recommend you ensure at least one of them has access to P3 instances.

VPC Considerations

  • You need to ensure that your VPC allows egress to https://manager.aws.saturnenterprise.io/ (3.134.99.59)
  • A security group with an inbound rule that allows HTTPS traffic from the VPC’s CIDR
  • Private VPC endpoints for the following AWS services, with the security group (from the previous step) attached:
    • ecr.dkr (Interface)
    • ecr.api (Interface)
    • ec2 (Interface)
    • autoscaling (Interface)
    • sts (Interface)
    • s3 (Gateway)
  • Either egress to docker.io, k8s.gcr.io, and quay.io, or an image mirror set up with access to those hosts. Currently, the only image mirror Saturn supports is Artifactory. If you require support for a different image mirror solution, please get in touch

Installation

Step 1. Sign up for Saturn Cloud

To begin the signup process, visit the Saturn Manager.

Once installed, Your Saturn Cloud installation will be hosted at “app.{orgname}.saturnenterprise.io”, so the company name will be converted into a valid DNS name.

The Manager will direct you to the AWS Marketplace, where you can subscribe to Saturn Cloud.

Screenshot of signup in AWS Marketplace for Saturn Cloud

Step 2. Create your installation configuration

Contact support@saturncloud.io. We will help you generate your installation configuration. It will look something like this:

customer_authorization_token: ...
external_id: ...
org_name: ...
region: ...
admin_email: ...
is_enterprise: true
aws_account_id: ...
skip_vpc: true
vpc_id: ...
public_subnets: []
private_subnets:
- ...
- ...
worker_subnets:
- ...
private_cluster: true
internal_lb: true
k8s_api_allowed_cidrs:
- ...
image_mirror: ...

Step 3. Create the installation Role

You can create the role for the Saturn installation via a CloudFormation stack. If you are installing Saturn yourself - this probably means you will want to modify the cloud formation template to adjust the trust relationship. Please contact us if you need assistance doing so.

Step 4.

Set up a few environment variables in your bash shell.

export INSTALLER_TAG=...
export DATA_DIR=....
export AWS_AUTH_VARS=...

We will provide you with the INSTALLER_TAG, which will point to the latest version of our Installer. DATA_DIR should point to a directory on disk where you’ve written the config.yaml from Step 2. AWS_AUTH_VARS is a set of docker cli args that will authenticate the docker container with IAM credentials.

AWS_AUTH_VARS

  • If you’ve signed in via aws configure and have an ~/.aws/config file that contains credentials:

    export AWS_AUTH_VARS="-v ${HOME}/.aws:/root/.aws"

  • If you have AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and AWS_DEFAULT_REGION set:

    export AWS_AUTH_VARS="-e AWS_ACCESS_KEY_ID -e AWS_SECRET_ACCESS_KEY -e AWS_DEFAULT_REGION"

  • If running from an EC2 instance with an assigned IAM role, then AWS_AUTH_VARS isn’t necessary. Set it to an empty string.

    export AWS_AUTH_VARS=""

5. Run the installer

docker run --rm -it -v ${DATA_DIR}:/sdata ${AWS_AUTH_VARS} saturncloud/saturn-aws:${INSTALLER_TAG} python saturn_aws/scripts/main.py install

This will take some time - typically 15-45 minutes. If you encounter errors, contact us and we will help debug. When installation completes successfully, you will receive an email instructing you to reset your password for the admin account on your new Saturn deployment.

6. Backup the configuration files to S3

docker run --rm -it -v ${DATA_DIR}:/sdata ${AWS_AUTH_VARS} saturncloud/saturn-aws:${INSTALLER_TAG} python saturn_aws/scripts/main.py backup

That’s it! You’ll receive an email shortly with instructions for how to log in to Saturn

Need help, or have more questions? Contact us at:

We'll be happy to help you and answer your questions!