Cloud Provider Requirements

Couchbase Cloud requires certain permissions and resource capacity within your cloud provider account in order to connect and deploy clusters.

Amazon Web Services (AWS)

Couchbase Cloud supports deploying clusters on Amazon Web Services (AWS).

Supported Regions

Americas
Europe

AWS Region Location

AWS Region	Location
`us-east-1`	US East (N. Virginia)
`us-east-2`	US East (Ohio)
`us-west-2`	US West (Oregon)
`ca-central-1`	Canada (Central)

us-east-1

US East (N. Virginia)

us-east-2

US East (Ohio)

us-west-2

US West (Oregon)

ca-central-1

Canada (Central)

AWS Region Location

AWS Region	Location
`eu-central-1`	EU (Frankfurt)
`eu-west-1`	EU (Ireland)
`eu-west-2`	EU (London)
`eu-west-3`	EU (Paris)
`eu-north-1`	EU (Stockholm)

eu-central-1

EU (Frankfurt)

eu-west-1

EU (Ireland)

eu-west-2

EU (London)

eu-west-3

EU (Paris)

eu-north-1

EU (Stockholm)

Required Permissions

This section describes the AWS permissions that are required for Couchbase Cloud to be able to deploy and manage clusters in your AWS account. You should verify that your AWS account has these permissions before attempting to connect clouds and deploy clusters.

The following permissions are required for rotating the access keys, and are locked to the user that is created by the CloudFormation stack:
```
iam:DeleteAccessKey
iam:ListAccessKeys
iam:DeleteUser
```

The following permissions are required to create the networking infrastructure in a VPC, and are locked to the VPC:

ec2:AuthorizeSecurityGroupEgress
ec2:AuthorizeSecurityGroupIngress
ec2:CreateRoute
ec2:DeleteRouteTable
ec2:DeleteSecurityGroup
ec2:RevokeSecurityGroupEgress
ec2:RevokeSecurityGroupIngress
ec2:UpdateSecurityGroupRuleDescriptionsEgress
ec2:UpdateSecurityGroupRuleDescriptionsIngress
ec2:RunInstances

The following permissions are locked to the CloudFormation stack:

cloudformation:DeleteStack
cloudformation:DescribeStackEvents
cloudformation:DescribeStackResources
cloudformation:DetectStackDrift
cloudformation:DetectStackResourceDrift
cloudformation:GetTemplate
cloudformation:ListStackResources
cloudformation:UpdateStack

The following permissions are required to store Terraform state for all the cloud and cluster deployments. They are also used to store backups, and are locked to the main S3 bucket:

s3:AbortMultipartUpload
s3:DeleteObject
s3:DeleteObjectTagging
s3:DeleteObjectVersion
s3:DeleteObjectVersionTagging
s3:GetObject
s3:GetObjectAcl
s3:GetObjectLegalHold
s3:GetObjectRetention
s3:GetObjectTagging
s3:GetObjectVersion
s3:GetObjectVersionAcl
s3:GetObjectVersionTagging
s3:ListMultipartUploadParts
s3:PutObject
s3:PutObjectAcl
s3:PutObjectLegalHold
s3:PutObjectRetention
s3:PutObjectTagging
s3:PutObjectVersionAcl
s3:PutObjectVersionTagging
s3:RestoreObject
s3:DescribeJob
s3:UpdateJobPriority
s3:UpdateJobStatus

The following permissions are required to store logs and support-related information about a connected cloud and cluster. These permissions are locked to the support bucket:

s3:AbortMultipartUpload
s3:DeleteObject
s3:DeleteObjectTagging
s3:DeleteObjectVersion
s3:DeleteObjectVersionTagging
s3:GetObject
s3:GetObjectAcl
s3:GetObjectLegalHold
s3:GetObjectRetention
s3:GetObjectTagging
s3:GetObjectVersion
s3:GetObjectVersionAcl
s3:GetObjectVersionTagging
s3:ListMultipartUploadParts
s3:ListBucket
s3:ListBucketVersions
s3:PutObject
s3:PutObjectAcl
s3:PutObjectLegalHold
s3:PutObjectRetention
s3:PutObjectTagging
s3:PutObjectVersionAcl
s3:PutObjectVersionTagging
s3:RestoreObject
s3:DescribeJob
s3:UpdateJobPriority
s3:UpdateJobStatus

The following permissions are required to remove a user only from the Couchbase Cloud IAM group created via CloudFormation:
```
iam:RemoveUserFromGroup
iam:DeleteGroup
iam:DeleteGroupPolicy
```

The following permissions are required to create Auto Scaling groups which contain the worker nodes for the EKS cluster:

autoscaling:AttachInstances
autoscaling:CreateAutoScalingGroup
autoscaling:CreateLaunchConfiguration
autoscaling:CreateOrUpdateTags
autoscaling:DeleteAutoScalingGroup
autoscaling:DeleteLaunchConfiguration
autoscaling:DeleteTags
autoscaling:Describe*
autoscaling:DetachInstances
autoscaling:SetDesiredCapacity
autoscaling:UpdateAutoScalingGroup
autoscaling:SuspendProcesses
autoscaling:DescribeLaunchConfigurations

The following permissions are required to create the networking infrastructure in a VPC (Routing Tables, Subnets, Internet Gateway, NAT Gateway) and the EC2 instances under the Auto Scaling group:

ec2:DescribeVpcs
ec2:DescribeSubnets
ec2:DescribeNetworkInterfaces
ec2:DescribeAvailabilityZones
ec2:AllocateAddress
ec2:AssignPrivateIpAddresses
ec2:Associate*
ec2:AttachInternetGateway
ec2:AttachNetworkInterface
ec2:CreateDefaultSubnet
ec2:CreateDhcpOptions
ec2:CreateEgressOnlyInternetGateway
ec2:CreateInternetGateway
ec2:CreateNatGateway
ec2:CreateNetworkInterface
ec2:CreateRouteTable
ec2:CreateSecurityGroup
ec2:CreateSubnet
ec2:CreateTags
ec2:CreateVolume
ec2:CreateVpc
ec2:DeleteDhcpOptions
ec2:DeleteEgressOnlyInternetGateway
ec2:DeleteInternetGateway
ec2:DeleteNatGateway
ec2:DeleteNetworkInterface
ec2:DeleteRoute
ec2:DeleteSubnet
ec2:DeleteTags
ec2:DeleteVolume
ec2:DeleteVpnGateway
ec2:Describe*
ec2:DetachInternetGateway
ec2:DetachNetworkInterface
ec2:DetachVolume
ec2:Disassociate*
ec2:ModifySubnetAttribute
ec2:ModifyVpcAttribute
ec2:ModifyVpcEndpoint
ec2:ReleaseAddress
ec2:UpdateSecurityGroupRuleDescriptionsEgress
ec2:UpdateSecurityGroupRuleDescriptionsIngress
ec2:CreateLaunchTemplate
ec2:CreateLaunchTemplateVersion
ec2:DeleteLaunchTemplate
ec2:DeleteLaunchTemplateVersions
ec2:DescribeLaunchTemplates
ec2:DescribeLaunchTemplateVersions
ec2:GetLaunchTemplateData
ec2:ModifyLaunchTemplate

The following permissions are required to create the EKS clusters under the VPC and appropriately tag the resource:

eks:CreateCluster
eks:DeleteCluster
eks:DescribeCluster
eks:UpdateClusterVersion
eks:ListClusters
eks:TagResource
eks:UpdateClusterConfig
eks:DescribeUpdate

The following permissions are required to attach roles to all the EC2 instances so they have access to other AWS resources:

iam:AddRoleToInstanceProfile
iam:AttachRolePolicy
iam:CreateInstanceProfile
iam:CreatePolicy
iam:CreatePolicyVersion
iam:DeletePolicyVersion
iam:CreateRole
iam:CreateServiceLinkedRole
iam:GetServiceLinkedRoleDeletionStatus
iam:DeleteInstanceProfile
iam:DeletePolicy
iam:DeleteRole
iam:DeleteRolePolicy
iam:DeleteServiceLinkedRole
iam:DetachRolePolicy
iam:GetInstanceProfile
iam:GetPolicy
iam:GetPolicyVersion
iam:GetRole
iam:GetRolePolicy
iam:List*
iam:PassRole
iam:PutRolePolicy
iam:RemoveRoleFromInstanceProfile
iam:UpdateAssumeRolePolicy
iam:TagRole
iam:UntagRole
iam:ListInstanceProfilesForRole
iam:ListAttachedRolePolicies

The following permissions are required to encrypt each cluster with its own KMS key:

kms:GetPublicKey
kms:Decrypt
kms:UpdateKeyDescription
kms:GetKeyPolicy
kms:GenerateDataKeyWithoutPlaintext
kms:Verify
kms:ListResourceTags
kms:ReEncryptFrom
kms:GetParametersForImport
kms:DescribeCustomKeyStores
kms:ListKeys
kms:GetKeyRotationStatus
kms:Encrypt
kms:ScheduleKeyDeletion
kms:ListAliases
kms:ReEncryptTo
kms:DescribeKey
kms:CreateKey
kms:UntagResource
kms:TagResource
kms:GetPublicKey
kms:Decrypt
kms:UpdateKeyDescription
kms:GetKeyPolicy
kms:GenerateDataKeyWithoutPlaintext
kms:Verify
kms:ListResourceTags
kms:ReEncryptFrom
kms:GetParametersForImport
kms:DescribeCustomKeyStores
kms:ListKeys
kms:GetKeyRotationStatus
kms:Encrypt
kms:ScheduleKeyDeletion
kms:ListAliases
kms:ReEncryptTo
kms:DescribeKey
kms:CreateKey
kms:UntagResource
kms:TagResource

The following permissions are required so that Terraform can save state for connected clouds and deployed clusters:
```
s3:ListAllMyBuckets
```

Required Quotas

This section describes the AWS quotas and limits that can affect the proper functioning of Couchbase Cloud in your AWS account. You should verify that the current quotas set for your account can accommodate your expected usage of Couchbase Cloud, and make any necessary increases to those quotas before connecting clouds and deploying clusters.

VPCs per Region

It is recommended that you increase your AWS account’s quota for VPCs per Region (the default quota is five).

Each connected cloud creates one VPC in a given Region. This means that if you keep the default quota, then the maximum number of connected clouds you can have in each Region is four. (This is assuming that you are not running any other VPCs in the Region and have not deleted the default VPC.)

If you try to connect a new cloud in a Region that has already reached its VPC quota, then the connection will fail. (Note that existing, successfully connected clouds will not be affected if you reach the VPC quota in a Region.)

To increase your AWS account’s quota for VPCs per Region, you will need to open a support case with AWS to request a service limit increase. Ensure that you request a quota that can accommodate the maximum number of connected clouds (as well as any other VPCs) that you plan to have in a given Region of the same AWS account.

VPC Elastic IP Addresses per Region

It is recommended that you increase your AWS account’s quota for VPC Elastic IP addresses per Region (the default quota is five).

Couchbase Cloud requires three Elastic IP addresses (EIPs) per connected cloud. This means that if you keep the default quota, you may encounter errors when connecting more than one cloud per Region. (This is assuming that you are not running any other VPCs that are consuming more of the EIP quota.)

To increase your AWS account’s quota for VPC EIPs per Region, you will need to open a support case with AWS to request a service limit increase. Ensure that you request a quota that can accommodate the maximum number of connected clouds (as well as any other VPCs) that you plan to have in a given Region of the same AWS account. Since three VPC EIPs are required per connected cloud, a convenient way to calculate this quota is to take the the VPCs per Region quota, and multiple it by three. So if your VPCs per Region quota is 20, then you should request that your VPC EIPs per Region be increased to 60.

Classic Load Balancers per Region

It is recommended that you increase your AWS account’s quota for Classic Load Balancers per Region (the default quota is 20).

Couchbase Cloud requires n+1 Classic Load Balancers per cluster, where n is the number of nodes in the cluster. This means that if you keep the default quota, the maximum number of clusters you can have in a single Region, across all connected clouds, is ten 1-node development clusters, or five 3-node production clusters.

To increase your AWS account’s quota for Classic Load Balancers per Region, you will need to request a service quota increase. Ensure that you request a quota that can accommodate the maximum number of clusters and nodes that you plan to have in a given Region of the same AWS account. It’s recommended that you err on the side of having a higher quota than you think you might need in case you encounter unforeseen events that require you to rapidly scale out clusters and/or deploy your own resources that require Classic Load Balancers.

Additional Requirements

AWS Security Token Service (STS) must be active for the Region you select. If STS is not active, the CloudFormation stack will still deploy, but Couchbase Cloud will fail to connect to it.