cortex env configure local)
subnet_visibility: privatein your cluster configuration file before creating your cluster. If private subnets are used, instances will not have public IP addresses, and Cortex will create a NAT gateway to allow outgoing network requests.
cortexCLI connects to). The operator validates that the CLI user is an active IAM user in the same AWS account as the Cortex cluster (see below). Therefore it is usually unnecessary to configure the operator's load balancer to be private, but this can be done by by setting
operator_load_balancer_scheme: internalin your cluster configuration file. If you do this, you will need to configure VPC Peering to allow your CLI to connect to the Cortex operator (this will be necessary to run any
AdministratorAccesspolicy to your IAM user will make getting started much easier. If you would like to limit IAM permissions, continue reading.
--aws-secretflags with the command
cortex cluster upto indicate the credentials that will be used to create your cluster. Optionally, you can specify
--cluster-aws-secretto specify credentials which will be used by the cluster. When all four flags are specified, the credentials used when spinning up the cluster will not be used by the cluster itself. If
--cluster-aws-secretflags are not specified, then they'll get set to the values of
AWS_SECRET_ACCESS_KEYwhich will be used to create your cluster. Optionally, you can export
CLUSTER_AWS_SECRET_ACCESS_KEYto specify credentials which will be used by the cluster. When all four environment variables are set, the credentials used when spinning up the cluster will not be used by the cluster itself. If
CLUSTER_AWS_SECRET_ACCESS_KEYenvironment variables are not set, then they'll get set to the values of
aws configurewhich will then be used to create your cluster.
"aws access key id"and
"aws secret access key"at the CLI's prompt when requested.
AdministratorAccesspolicy to create your cluster, since the CLI requires many permissions for this step, and the list of permissions is evolving as Cortex adds new features. If it is not possible to use
AdministratorAccessin your existing AWS account, you could create a separate AWS account for your Cortex cluster, or you could ask someone within your organization to create the Cortex cluster for you (since
AdministratorAccessis not required to deploy APIs to your cluster; see CLI below).
$CLUSTER_AWS_ACCESS_KEY_ID) if specified, otherwise it will default to using the credentials used to spin up the cluster (e.g.
cortex env configure ENVIRONMENT_NAMEcommand (e.g.
cortex env configure aws).
cortex clustercommands from different IAM users
cortex cluster *commands can only be executed by the IAM user who created the Cortex cluster. To grant access to additional IAM users, follow these steps:
aws iam get-useron a machine that is authenticated as the IAM user (or
AWS_ACCESS_KEY_ID=*** AWS_SECRET_ACCESS_KEY=*** aws iam get-useron any machine, using the credentials of the IAM user). The ARN should look similar to