Creating a DAX cluster
This section walks you through the first-time setup and usage of Amazon DynamoDB Accelerator (DAX) in your default Amazon Virtual Private Cloud (Amazon VPC) environment. You can create your first DAX cluster using either the Amazon Command Line Interface (Amazon CLI) or the Amazon Web Services Management Console.
After you create your DAX cluster, you can access it from an Amazon EC2 instance running in the same VPC. You can then use your DAX cluster with an application program. For more information, see Developing with the DynamoDB Accelerator (DAX) client.
Topics
Creating an IAM service role for DAX to access DynamoDB
For your DAX cluster to access DynamoDB tables on your behalf, you must create a service role. A service role is an Amazon Identity and Access Management (IAM) role that authorizes an Amazon service to act on your behalf. The service role allows DAX to access your DynamoDB tables, as if you were accessing those tables yourself. You must create the service role before you can create the DAX cluster.
If you are using the console, the workflow for creating a cluster checks for the presence of a pre-existing DAX service role. If none is found, the console creates a new service role for you. For more information, see Step 2: Create a DAX cluster using the Amazon Web Services Management Console.
If you are using the Amazon CLI, you must specify a DAX service role that you have created previously. Otherwise, you need to create a new service role beforehand. For more information, see Step 1: Create an IAM service role for DAX to access DynamoDB using the Amazon CLI.
Permissions required to create a service role
The AWS managed AdministratorAccess
policy provides all the
permissions needed for creating a DAX cluster and a service role. If your user
has AdministratorAccess
attached, no further action is
needed.
Otherwise, you must add the following permissions to your IAM policy so that your user can create the service role:
-
iam:CreateRole
-
iam:CreatePolicy
-
iam:AttachRolePolicy
-
iam:PassRole
Attach these permissions to the user who is trying to perform the action.
Note
The iam:CreateRole
, iam:CreatePolicy
,
iam:AttachRolePolicy
, and iam:PassRole
permissions
are not included in the Amazon managed policies for DynamoDB. This is by design
because these permissions provide the possibility of privilege escalation: That
is, a user could use these permissions to create a new administrator policy and
then attach that policy to an existing role. For this reason, you (the
administrator of your DAX cluster) must explicitly add these permissions to
your policy.
Troubleshooting
If your user policy is missing the iam:CreateRole
,
iam:CreatePolicy
, and iam:AttachPolicy
permissions,
you will get error messages. The following table lists these messages and describes
how to correct the problems.
If you see this error message... | Do the following: |
---|---|
User:
arn:aws:iam::
|
Add iam:CreateRole to your user policy. |
User:
arn:aws:iam:: |
Add iam:CreatePolicy to your user policy. |
User:
arn:aws:iam:: |
Add iam:AttachRolePolicy to your user
policy. |
For more information about the IAM policies required for DAX cluster administration, see DAX access control.