Step 1: Create a cluster
To create a cluster, follow these steps.
Topics
Step 1.1: Create a cluster
In this step, you create a cluster in the default Amazon VPC in the us-east-1 region in your account using the Amazon Command Line Interface (CLI). For information on creating cluster using the MemoryDB console or API, see see Step 1: Create a cluster.
aws memorydb create-cluster --cluster-name cluster-01 --engine-version 7.0 --acl-name open-access \ --description "MemoryDB IAM auth application" \ --node-type db.r6g.large
Note that the value of the Status field is set to CREATING
. It can take a few minutes for MemoryDB to finish creating your cluster.
Step 1.2: Copy the cluster endpoint
Verify that MemoryDB has finished creating the cluster with the describe-clusters
command.
aws memorydb describe-clusters \ --cluster-name cluster-01
Copy the Cluster Endpoint Address shown in the output. You'll need this address when you create the deployment package for your Lambda function.
Step 1.3: Create IAM Role
Create an IAM trust policy document, as shown below, for your role that allows your account to assume the new role. Save the policy to a file named trust-policy.json. Be sure to replace account_id 123456789012 in this policy with your account_id.
{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::123456789012:root" }, "Action": "sts:AssumeRole" }, { "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" }, "Action": "sts:AssumeRole" }] }
Create an IAM policy document, as shown below. Save the policy to a file named policy.json. Be sure to replace account_id 123456789012 in this policy with your account_id.
{ "Version": "2012-10-17", "Statement": [ { "Effect" : "Allow", "Action" : [ "memorydb:Connect" ], "Resource" : [ "arn:aws:memorydb:us-east-1:123456789012:cluster/cluster-01", "arn:aws:memorydb:us-east-1:123456789012:user/iam-user-01" ] } ] }
Create an IAM role.
aws iam create-role \ --role-name "memorydb-iam-auth-app" \ --assume-role-policy-document file://trust-policy.json
Create the IAM policy.
aws iam create-policy \ --policy-name "memorydb-allow-all" \ --policy-document file://policy.json
Attach the IAM policy to the role. Be sure to replace account_id 123456789012 in this policy-arn with your account_id.
aws iam attach-role-policy \ --role-name "memorydb-iam-auth-app" \ --policy-arn "arn:aws:iam::123456789012:policy/memorydb-allow-all"
Step 1.4: Create an Access Control List (ACL)
Create a new IAM-enabled user.
aws memorydb create-user \ --user-name iam-user-01 \ --authentication-mode Type=iam \ --access-string "on ~* +@all"
Create an ACL and attach it to the cluster.
aws memorydb create-acl \ --acl-name iam-acl-01 \ --user-names iam-user-01 aws memorydb update-cluster \ --cluster-name cluster-01 \ --acl-name iam-acl-01