Skip to main content

Cloud Execution for Desktop in AWS

Follow this guide to deploy the Cloud Execution for Desktop (CEfD) module for AWS private data processing.

Prerequisite

Before you deploy the CEfD module, you must complete these steps on the Set Up AWS Account and VPC for Private Data page...

  1. Configured a VPC dedicated to Alteryx Analytics Cloud (AAC) as mentioned in the Create a VPC section.

  2. Service account and base IAM role attached to the service account as mentioned in the Configure IAM section.

  3. Successfully triggered private data processing provisioning as mentioned in the Trigger Private Data Handling Provisioning section.

Account Setup

Step 1: Configure IAM

Step 1a: Create Designer Cloud IAM Policy

You need to create a custom IAM policy. Name it AAC_CEFD_SA_Policy and use the following policy document. We recommend using the JSON tab instead of the visual editor. AACAAC requires some * permissions to run. Expect some security warnings when you create the policy. Note that the IAM policy document supports role creation and includes an inline policy for the Lambda function to assume roles.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "iam:PassRole",
            "Resource": "arn:aws:iam::*:role/*",
            "Condition": {
                "StringEqualsIfExists": {
                    "iam:PassedToService": [
                        "ec2.amazonaws.com",
                        "ec2.amazonaws.com.cn"
                    ]
                }
            }
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "iam:CreateServiceLinkedRole",
                "kms:CreateGrant",
                "kms:Decrypt",
                "kms:DescribeKey",
                "kms:Encrypt",
                "kms:GetKeyPolicy",
                "kms:GetKeyRotationStatus",
                "kms:ListGrants",
                "kms:ListResourceTags",
                "kms:ListRetirableGrants",
                "kms:PutKeyPolicy",
                "kms:RetireGrant",
                "kms:RevokeGrant",
                "kms:ScheduleKeyDeletion",
                "kms:TagResource",
                "kms:UntagResource"
            ],
            "Resource": [
                "arn:aws:eks:*:*:addon/*/*/*",
                "arn:aws:eks:*:*:cluster/*",
                "arn:aws:eks:*:*:nodegroup/*/*/*",
                "arn:aws:eks:*:*:identityproviderconfig/*/*/*/*",
                "arn:aws:kms:*:*:key/*",
                "arn:aws:iam::*:role/*"
            ]
        },
        {
            "Sid": "VisualEditor2",
            "Effect": "Allow",
            "Action": [
                "iam:GetPolicy",
                "iam:GetPolicyVersion",
                "iam:GetRole",
                "iam:GetRolePolicy",
                "iam:PutRolePolicy",
                "iam:DeleteRolePolicy",
                "iam:DetachRolePolicy",
                "iam:AttachRolePolicy",
                "iam:GetUser",
                "iam:GetUserPolicy",
                "iam:ListInstanceProfilesForRole",
                "iam:ListPolicyTags",
                "iam:ListPolicyVersions",
                "iam:ListRolePolicies",
                "iam:PassRole",               
                "iam:TagPolicy",
                "iam:TagRole",                
                "iam:UntagPolicy",
                "iam:UntagRole",              
                "iam:UpdateAssumeRolePolicy",
                "iam:CreatePolicy",
                "iam:CreatePolicyVersion",
                "iam:CreateRole",
                "iam:DeletePolicy",
                "iam:DeletePolicyVersion",
                "iam:DeleteRole",
                "iam:PassRole",
                "iam:PutRolePolicy",
                "iam:UpdateRole"
            ],
            "Resource": [
                "arn:aws:iam::*:policy/*",
                "arn:aws:iam::*:oidc-provider/*",
                "arn:aws:iam::*:user/*",
                "arn:aws:iam::*:role/*"
            ]
        },
        {
            "Sid": "VisualEditor3",
            "Effect": "Allow",
            "Action": [
                "autoscaling:*",
                "ec2:*",
                "elasticloadbalancing:*",
                "iam:GetAccountName",
                "iam:ListAccountAliases",
                "iam:ListRoles",
                "iam:CreateInstanceProfile",
                "iam:DeleteInstanceProfile",
                "iam:GetInstanceProfile",
                "iam:TagInstanceProfile",
                "iam:UntagInstanceProfile", 
                "iam:RemoveRoleFromInstanceProfile", 
                "iam:AddRoleToInstanceProfile", 
                "logs:CreateLogGroup",
                "logs:DeleteLogGroup",
                "logs:DescribeLogGroups",
                "logs:ListTagsLogGroup",
                "logs:PutRetentionPolicy",
                "logs:TagResource",
                "logs:UntagResource",
                "logs:TagLogGroup",
                "logs:UntagLogGroup",
                "networkmanager:Describe*",
                "networkmanager:Get*",
                "networkmanager:List*",
                "sts:GetCallerIdentity",
                "logs:CreateLogStream",
                "logs:DeleteLogStream",
                "logs:PutLogEvents",
                "lambda:GetFunction",
                "lambda:GetFunctionCodeSigningConfig",
                "lambda:GetPolicy",
                "lambda:CreateFunction",
                "lambda:DeleteFunction",
                "lambda:ListVersionsByFunction",
                "lambda:AddPermission",
                "lambda:RemovePermission",
                "lambda:UntagResource", 
                "lambda:UpdateFunctionConfiguration",
                "lambda:UpdateFunctionCode",
                "lambda:tagResource",
                "events:DescribeRule",
                "events:DeleteRule",
                "events:PutRule",
                "events:PutTargets",
                "events:RemoveTargets",
                "events:ListTagsForResource",
                "events:ListTargetsByRule"
            ],
            "Resource": "*"
        },
        {
            "Sid": "VisualEditor4",
            "Effect": "Allow",
            "Action": "secretsmanager:*",
            "Resource": "arn:aws:secretsmanager:*:*:secret:*"
        }
    ]
}

Step 1b: Tag the IAM Policy

Tag the custom IAM policy created in Step 1a.

Tag Name

Value

AACResource

aac_sa_custom_policy

Step 1c: Attach IAM Policy

Attach the AAC_CEFD_SA_Policy IAM policy to the aac_automation_sa service account created on the Set Up AWS Account and VPC for Private Data page.

Nota

AAC_CEFD_SA_Policy is an example policy name. You can choose any name for the policy, but the name must start with AAC_CEFD.

Step 2: Configure Subnet

Nota

If you've purchased Designer Cloud and EMR, then configure the subnets as mentioned in Designer Cloud and EMR Serverless in AWS. Both EMR and CEfD resources share the option subnets.

CEfD in private data processing environment requires 1 subnet group. The group contains 3 individual subnets, each in a different availability zone.

  1. option group: Use this group if you enable Cloud Execution for Desktop within your data pocessing environment. If you enable this option, an AMI swarm runs in this subnet to handle Designer Desktop processing jobs that run in the cloud.

Step 2a: Create Subnets in the VPC

Configure subnets in the aac_vpc VPC.

Create subnets and tag them following this example. Modify values, as needed, to meet your network architecture…

CIDRs

Subnet Name

Subnet

AZ

Tag Name

Tag Value

10.10.0.0/21

option

10.10.4.0/24

AZa

AACSubnet

option

option

10.10.5.0/24

AZb

AACSubnet

option

option

10.10.6.0/24

AZc

AACSubnet

option

Importante

You must tag subnets with Tag Name and Tag Value as mentioned in the table.

Step 2b: Subnet Route Tables

Create the route table for your subnets.

Nota

This route table is an example.

Subnet Name

Route Destination

Target

Comments

option

/21 CIDR Block

<s3 prefix id>

0.0.0.0/0

Local

<vpce endpoint id>

<gateway id>

Configure the same routes to all 3 AZs subnet routing tables.

Basically, 0.0.0.0/0 should be egressing out to the public network.

Nota

Your <gateway id> could be either a zonal NAT gateway that is created per AZ or a transit gateway, depending on your network architecture. If NAT gateway, create NAT gateway per AZ for public subnets.

Private Data Processing

Attenzione

Se modifichi o rimuovi qualsiasi risorsa del cloud pubblico fornita da AAC dopo l'attivazione della gestione dei dati privati, si verifica uno stato di non coerenza. Questa incoerenza genera errori durante l'esecuzione del processo o il deprovisioning della configurazione di gestione del piano dati privato.

Step 1: Trigger CEfD Deployment

Data plane provisioning triggers from the Admin Console inside AACAAC. You need Workspace Admin privileges within a workspace in order to see it.

  1. From the AACAAC landing page, select the Profile menu and then select Workspace Admin.

  2. From the Admin Console, select Private Data Handling and then select Processing.

  3. Select the Cloud Execution for Desktop checkbox and then select Update.

Selecting Update triggers the deployment of the cluster and resources in the AWS account. This runs a set of validation checks to verify the correct configuration of the AWS account.

Nota

The provisioning process takes approximately 35–40 minutes to complete.

After the provisioning completes, you can view the created resources (for example, EC2 instances and node groups) through the AWS console. It is very important that you don't modify them on your own. Manual changes might cause issues with the function of the private data plane.