EC2 instance profile

Define an IAM role for your Qlik-managed EC2 instances. This role is used by the instances running in your AWS lakehouse environment.

An EC2 instance profile is a container for an IAM role that can be assigned to an EC2 instance. It allows the instance to access AWS services securely without the need to store AWS credentials on the instance.

When an instance is launched with an instance profile, the associated IAM role’s temporary credentials are automatically made available to applications running on the instance via the instance metadata service. This enables the instance to make authorized API requests to AWS services such as Amazon S3, DynamoDB, or CloudWatch.

Using instance profiles improves security and simplifies credential management by:

Eliminating hard-coded credentials in application code or configuration files.
Automatically rotating credentials.
Enforcing least privilege through fine-grained IAM policies attached to the role.

Instance profiles are commonly used in scenarios where EC2 instances need to interact with other AWS resources securely and programmatically.

Prerequisites

Ensure you have created the VPC and subnet and Availability Zones for hosting your Qlik Open Lakehouse, and have the following details:

The URL of the S3 bucket for Qlik to store internal metadata files.
The name of the Kinesis stream for Qlik to manage the instance in the cluster.

Creating an instance profile

To create a management role, do the following:

In the AWS console, go to IAM
In Roles, click Create role, and configure it:

Trusted entity type: Select AWS service from the options.
Service or use case: Select EC2.
Use case: Select EC2.

Create the role. Return to the Roles page and click the role you created.
Click the Copy icon next to the Instance profile ARN name and save this value.
Click Add permissions and select Create inline policy.
Policy editor: Select JSON. Paste in the following text, and make sure to:
- Change the <INTERNAL_STREAM_NAME> parameter to your Kinesis stream.
- Change the <INTERNAL_BUCKET_NAME> parameter to your S3 bucket.


			{
			"Version": "2012-10-17",
			"Statement": [
			{
			"Effect": "Allow",
			"Resource": [
			"*"
			],
			"Action": [
			"ec2:AttachVolume",
			"ec2:DetachVolume",
			"autoscaling:SetInstanceHealth"
			],
			"Condition": {
			"Null": {
			"aws:ResourceTag/qlik_cluster": "false"
			}
			}
			},
			{
			"Effect": "Allow",
			"Resource": [
			"*"
			],
			"Action": [
			"cloudwatch:PutMetricData"
			]
			},
			{
			"Effect": "Allow",
			"Resource": [
			"arn:aws:kinesis:*:*:stream/<STREAM_NAME>"
				],
				"Action": [
				"kinesis:PutRecord",
				"kinesis:DescribeStreamSummary",
				"kinesis:ListShards",
				"kinesis:PutRecords",
				"kinesis:GetShardIterator",
				"kinesis:GetRecords",
				"kinesis:DescribeStream",
				"kinesis:ListStreamConsumers"
				]
				},
				{
				"Effect": "Allow",
				"Resource": [
				"arn:aws:s3:::<BUCKET_NAME>",
					"arn:aws:s3:::<BUCKET_NAME>/*"
						],
						"Action": [
						"s3:PutObject",
						"s3:GetObject",
						"s3:AbortMultipartUpload",
						"s3:DeleteObjectVersion",
						"s3:ListBucket",
						"s3:DeleteObject",
						"s3:GetObjectVersion"
						]
						},
						{
						"Effect": "Allow",
						"Resource": [
						"arn:aws:ssm:*:*:parameter/qlik/*"
						],
						"Action": [
						"ssm:GetParameter",
						"ssm:PutParameter"
						]
						},
						{
						"Effect": "Allow",
						"Resource": [
						"<SYMMETRIC_KMS_KEY>"
							],
							"Action": [
							"kms:*"
							]
							},
							{
							"Effect": "Allow",
							"Resource": [
							"*"
							],
							"Action": [
							"sts:AssumeRole"
							],
							"Condition": {
							"StringEquals": {
							"sts:ExternalId": "6b69f9c3c8f502f2ddfc8434d443f172ebe4c032f4ef1a3c51215d27a58ca799"
							}
							}
							}
							]
							}

Requirement permission justifications

The following table explains each permission granted to the EC2 instance:

Policy	Permissions	Explanation
Attach Volume Policy	{ "Version": "2012-10-17", "Effect": "Allow", "Resource": [ "*" ], "Action": [ "ec2:AttachVolume", "ec2:DetachVolume", "autoscaling:SetInstanceHealth" ], "Condition": { "Null": { "aws:ResourceTag/qlik_cluster": "false" } } } ] }	This policy grants EC2 instances permissions to attach Persistent EBS volumes created by Qlik. This allows data to persist between Gateway machine upgrades.
CloudWatch	{ "Version": "2012-10-17", "Effect": "Allow", "Resource": [ "*" ], "Action": [ "cloudwatch:PutMetricData" } ] }	This policy allows EC2 instances to push custom metrics to CloudWatch, which are used to auto-scale Qlik clusters based on software performance.
Internal Stream	{ "Version": "2012-10-17", "Effect": "Allow", "Resource": [ "arn:aws:kinesis:::stream/<STREAM_NAME>" ], "Action": [ "kinesis:PutRecord", "kinesis:DescribeStreamSummary", "kinesis:ListShards", "kinesis:PutRecords", "kinesis:GetShardIterator", "kinesis:GetRecords", "kinesis:DescribeStream", "kinesis:ListStreamConsumers" ] } ] }	This policy grants EC2 instances permission to interact with the Kinesis streams used by Cluster Synchronization services, such as the Key-Value Store and Distributed Locks. <INTERNAL_STREAM_NAME> is a user configured value.
Internal Bucket	{ "Version": "2012-10-17", "Effect": "Allow", "Resource": [ "arn:aws:s3:::<BUCKET_NAME>", "arn:aws:s3:::<BUCKET_NAME>/*" ], "Action": [ "s3:PutObject", "s3:GetObject", "s3:AbortMultipartUpload", "s3:DeleteObjectVersion", "s3:ListBucket", "s3:DeleteObject", "s3:GetObjectVersion" ] } ] }	The policy allows EC2 instances permissions to store, read, and delete internal data. The internal data contains real user data that is held in intermediate storage for processing. <INTERNAL_BUCKET_NAME> is a user configured value.

Did this page help you?

If you find any issues with this page or its content – a typo, a missing step, or a technical error – please let us know!

Leave your feedback here