Amazon Web Services (AWS)

Qovery lets you quickly deploy applications to your Amazon Web Services (AWS) account. No knowledge needed, and it takes less than 20 minutes to install Qovery on your AWS account.

Do you want to know more about how Qovery works on your AWS account? Here is explained how Qovery works under the hood.

Getting started

Before you begin, this page assumes the following:

• You have a Qovery account
• You have created an Organization
• You have an AWS account

Connect your AWS account

To link your AWS account to Qovery you need to provide an AWS access key id and secret access key with the required IAM permissions.

You can link more than one AWS account. Qovery also support multiple Cloud providers within the same Organization. Meaning, you can balance your workload on different Cloud providers. Read more.

Create your AWS credentials - access key id and secret access key

1. Connect to your AWS console

2. Go to IAM

   

3. Create Admins group without any permissions

   The default name required by Qovery is Admins. If you want to use another name, you have to change the cluster advanced settings aws.iam.admin_group BEFORE launching the cluster installation process

   

4. Create one IAM user called qovery.

   

5. Setup IAM permissions to the qovery user.

   Download IAM permissions JSON

   ---

   Or copy it from below:

   {
       "Statement": [
           {
               "Action": [
                   "dynamodb:*",
                   "iam:*",
                   "ec2:*",
                   "autoscaling:*",
                   "application-autoscaling:*",
                   "elasticloadbalancing:*",
                   "ecr:*",
                   "ecs:*",
                   "eks:*",
                   "rds:*",
                   "elasticache:*",
                   "kms:*",
                   "logs:*",
                   "cloudwatch:*",
                   "cloudtrail:LookupEvents",
                   "events:DescribeRule",
                   "events:DeleteRule",
                   "events:ListRuleNamesByTarget",
                   "events:ListTargetsByRule",
                   "events:PutRule",
                   "events:PutTargets",
                   "events:RemoveTargets",
                   "es:AddTags",
                   "es:RemoveTags",
                   "es:ListTags",
                   "es:DeleteElasticsearchDomain",
                   "es:DescribeElasticsearchDomain",
                   "es:CreateElasticsearchDomain",
                   "s3:*",
                   "tag:GetResources"
               ],
               "Effect": "Allow",
               "Resource": "*"
           }
       ],
       "Version": "2012-10-17"
   }

   Then, follow the arrows in AWS console to create AWS credentials with required IAM permissions:

   

6. To create an access key id and secret access key, go to the Security Credentials tab of the Qovery user and press Create access key

   

   You can now save the access key id and secret access key

   

How was it? Did this tutorial work?  Yes  No

Well done!! You now have your AWS access key id and secret access key and your permissions are setups; It is time to connect Qovery to your AWS account.

Install a new cluster on Qovery

You will be able to use the credentials you just generated when creating a cluster via the Qovery console. This cluster will be linked to your Qovery organization. Follow this documentation to create a new cluster on your organization.

Deployed AWS components

Network Services	Optional	Description
A dedicated multi AZ VPC	no	Everything Qovery will deploy, will be deployed inside this VPC
Subnets, routing tables, subnet groups and security groups for RDS (multi AZ)	no	Dedicated network fand security rules for RDS
Subnets, routing tables, subnet groups and security groups for DocumentDB (multi AZ)	no	Dedicated network fand security rules for DocumentDB
Subnets, routing tables, subnet groups and security groups for Elasticache (multi AZ)	no	Dedicated network fand security rules for Elasticache
An internet gateway for the VPC	no	Required to let containers having access to Internet
Dedicated NLB to redirect 443 traffic to Nginx Ingress	no	High Availability network load balancer, pointing to Nginx Ingress inside EKS
NAT gateways (multi AZ) + EIP addresses (multi AZ) + subnet groups + routing table	yes	Useful to get outgoing static IP
Dedicated VPC routes for VPC peering	yes	Useful to perform VPC peering with others VPC on the same or different account

Kubernetes Services	Optional	Description
A dedicated EKS cluster (multi AZ) for this VPC	no	Dedicated Kubernetes cluster managed by AWS with nodes (instances type) defined by the customer
IAM dedicated user for AWS EBS CSI to access EC2 volumes + a dedicated policy	no	Required to allow EKS cluster having access to volume and mount them to containers
IAM dedicated user for AWS IAM User Sync + a dedicated policy	no	Required to sync desired IAM account to EKS to let them connect directly ot Kubernetes
IAM dedicated user for a Cluster Autoscaler+ a dedicated policy	no	Required to let autoscaler having access to EC2 autoscaling groups
IAM dedicated policies for AWS EKS CNI, EC2 container registry + EKS worker nodes	no	Required to let EKS having access to container registry and configure the Kubernetes network
Security group for EKS remote access (dual authentication: TLS + IAM authenticator)	no	Required to have a secure remote access on the Kubernetes cluster
Security group for 443 port pointing to Nginx ingress inside EKS	no	External access to web services inside the Kubernetes cluster

Other Services	Optional	Description
Cloudwatch log groups for the EKS cluster	no	Kubernetes logs, useful for the AWS and EKS support to diagnose an issue
Dedicated S3 bucket for application's logs + a dedicated IAM account	no	Application's logs are stored in an KMS encrypted S3 pivate bucket
Dedicated S3 bucket to store the kubeconfig	no	Kubernetes Kubeconfig is stored in an KMS encrypted, private and versionned bucket, used by Qovery for application's deployment

Remove Qovery from your AWS account

Your applications and your data will be deleted.

To delete Qovery from your AWS account you must be the owner of the Qovery Organization and you have to delete everything in this order:

• Environments
• Clusters

If you remove the access to your AWS account before deleting all the resources on the Qovery platform, you will have to manually delete them by yourself by following the guide "I don't have Qovery access anymore, how could I delete Qovery deployed resources on my AWS account?" in this section.

IAM permissions

Qovery required IAM permissions to create, update and managed the infrastructure.

• IAM is used to create IAM roles
• S3 is used to store our generated configuration files
• Cloudwatch, for creating a group stream for each Kubernetes clusters
• Autoscaling for RDS and autoscaling rules for the Kubernetes cluster
• Elastic load-balancing for ELB / ALB / NLB.
• DynamoDB to have a distributed lock on infrastructure deployment.
• ECR for managing the container registry, create/update/delete repository.
• KMS to load and store keys (RDS, SSH, …)
• EKS to create and update the Kubernetes cluster.

Minimum IAM permission set

Last update: 2023-06-08

This is purely informative and we strongly recommend you to NOT use this configuration within your IAM permissions since it might not reflect the latest product update. Please use the one provided in the section above.

Below you can find the minimum permission set required by Qovery to run and deploy your applications.

Policies lengths are limited regarding which object they’re attached to but the one Qovery needs represent more than the maximum (~6000 characters).

In order to setup it up, you need to create two IAM groups, each one with one of the following policies.

Then we must create a user added to each of the previously created groups.

Once it’s done, the user’s access key and secret key can be used in Qovery.

{
    "Version": "2023-06-08",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "autoscaling:SuspendProcesses",
                "ec2:AllocateAddress",
                "ec2:AssociateAddress",
                "ec2:AssociateRouteTable",
                "ec2:AttachVolume",
                "ec2:AttachInternetGateway",
                "ec2:AuthorizeSecurityGroupEgress",
                "ec2:AuthorizeSecurityGroupIngress",
                "ec2:CreateInternetGateway",
                "ec2:CreateKeyPair",
                "ec2:CreateLaunchTemplate",
                "ec2:CreateLaunchTemplateVersion",
                "ec2:CreateNatGateway",
                "ec2:CreateRoute",
                "ec2:CreateRouteTable",
                "ec2:CreateSecurityGroup",
                "ec2:CreateSubnet",
                "ec2:CreateTags",
                "ec2:CreateVolume",
                "ec2:CreateVpc",
                "ec2:DeleteInternetGateway",
                "ec2:DeleteKeyPair",
                "ec2:DeleteLaunchTemplate",
                "ec2:DeleteNatGateway",
                "ec2:DeleteRouteTable",
                "ec2:DeleteSecurityGroup",
                "ec2:DeleteSubnet",
                "ec2:DeleteVolume",
                "ec2:DeleteVpc",
                "ec2:DescribeAddresses",
                "ec2:DescribeAvailabilityZones",
                "ec2:DescribeImages",
                "ec2:DescribeInstanceAttribute",
                "ec2:DescribeInstanceCreditSpecifications",
                "ec2:DescribeInstances",
                "ec2:DescribeInstanceTypes",
                "ec2:DescribeInternetGateways",
                "ec2:DescribeKeyPairs",
                "ec2:DescribeLaunchTemplateVersions",
                "ec2:DescribeLaunchTemplates",
                "ec2:DescribeNatGateways",
                "ec2:DescribeNetworkAcls",
                "ec2:DescribeNetworkInterfaces",
                "ec2:DescribeRouteTables",
                "ec2:DescribeSecurityGroupRules",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeSubnets",
                "ec2:DescribeTags",
                "ec2:DescribeVolumes",
                "ec2:DescribeVpcAttribute",
                "ec2:DescribeVpcClassicLink",
                "ec2:DescribeVpcClassicLinkDnsSupport",
                "ec2:DescribeVpcs",
                "ec2:DetachInternetGateway",
                "ec2:DetachVolume",
                "ec2:DisassociateAddress",
                "ec2:DisassociateRouteTable",
                "ec2:ImportKeyPair",
                "ec2:ModifySubnetAttribute",
                "ec2:ModifyVpcAttribute",
                "ec2:ReleaseAddress",
                "ec2:RevokeSecurityGroupEgress",
                "ec2:RevokeSecurityGroupIngress",
                "ec2:RunInstances",
                "ec2:StopInstances",
                "ec2:TerminateInstances",
                "ecr:BatchCheckLayerAvailability",
                "ecr:BatchGetImage",
                "ecr:CompleteLayerUpload",
                "ecr:CreateRepository",
                "ecr:DeleteRepository",
                "ecr:DescribeImages",
                "ecr:DescribeRepositories",
                "ecr:GetAuthorizationToken",
                "ecr:GetDownloadUrlForLayer",
                "ecr:InitiateLayerUpload",
                "ecr:PutImage",
                "ecr:PutLifecyclePolicy",
                "ecr:TagResource",
                "ecr:UploadLayerPart",
                "eks:CreateAddon",
                "eks:CreateCluster",
                "eks:CreateNodegroup",
                "eks:DeleteAddon",
                "eks:DeleteCluster",
                "eks:DeleteNodegroup",
                "eks:DescribeAddon",
                "eks:DescribeCluster",
                "eks:DescribeNodegroup",
                "eks:DescribeUpdate",
                "eks:ListClusters",
                "eks:ListNodegroups",
                "eks:TagResource",
                "eks:UpdateAddon",
                "eks:UpdateClusterConfig",
                "eks:UpdateClusterVersion",
                "eks:UpdateNodegroupConfig",
                "eks:UpdateNodegroupVersion",
                "elasticache:AddTagsToResource",
                "elasticache:CreateCacheSubnetGroup",
                "elasticache:CreateReplicationGroup",
                "elasticache:DeleteCacheSubnetGroup",
                "elasticache:DeleteReplicationGroup",
                "elasticache:DescribeCacheClusters",
                "elasticache:DescribeCacheSubnetGroups",
                "elasticache:DescribeReplicationGroups",
                "elasticache:ListTagsForResource",
                "elasticloadbalancing:DescribeLoadBalancers",
                "elasticloadbalancing:DescribeTags"
            ],
            "Resource": "*"
        }
    ]
}

{
    "Version": "2023-06-08",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "iam:AddRoleToInstanceProfile",
                "iam:AttachRolePolicy",
                "iam:AttachUserPolicy",
                "iam:CreateAccessKey",
                "iam:CreateInstanceProfile",
                "iam:CreateOpenIDConnectProvider",
                "iam:CreatePolicy",
                "iam:CreateRole",
                "iam:CreateServiceLinkedRole",
                "iam:CreateUser",
                "iam:DeleteAccessKey",
                "iam:DeleteInstanceProfile",
                "iam:DeleteOpenIDConnectProvider",
                "iam:DeletePolicy",
                "iam:DeleteRole",
                "iam:DeleteRolePolicy",
                "iam:DeleteUser",
                "iam:DeleteUserPolicy",
                "iam:DetachRolePolicy",
                "iam:DetachUserPolicy",
                "iam:GetInstanceProfile",
                "iam:GetOpenIDConnectProvider",
                "iam:GetPolicy",
                "iam:GetPolicyVersion",
                "iam:GetRole",
                "iam:GetRolePolicy",
                "iam:GetUser",
                "iam:GetUserPolicy",
                "iam:ListAccessKeys",
                "iam:ListAttachedRolePolicies",
                "iam:ListAttachedUserPolicies",
                "iam:ListGroupsForUser",
                "iam:ListInstanceProfilesForRole",
                "iam:ListPolicyVersions",
                "iam:ListRolePolicies",
                "iam:PassRole",
                "iam:PutRolePolicy",
                "iam:PutUserPolicy",
                "iam:RemoveRoleFromInstanceProfile",
                "iam:TagInstanceProfile",
                "iam:TagOpenIDConnectProvider",
                "iam:TagRole",
                "iam:TagUser",
                "kms:CreateGrant",
                "kms:CreateKey",
                "kms:Decrypt",
                "kms:DescribeKey",
                "kms:GenerateDataKey",
                "kms:GetKeyPolicy",
                "kms:GetKeyRotationStatus",
                "kms:ListResourceTags",
                "kms:PutKeyPolicy",
                "kms:ScheduleKeyDeletion",
                "kms:TagResource",
                "logs:CreateLogGroup",
                "logs:DeleteLogGroup",
                "logs:DescribeLogGroups",
                "logs:ListTagsLogGroup",
                "logs:PutRetentionPolicy",
                "logs:TagLogGroup",
                "rds:AddTagsToResource",
                "rds:CreateDBCluster",
                "rds:CreateDBInstance",
                "rds:CreateDBParameterGroup",
                "rds:CreateDBSubnetGroup",
                "rds:DeleteDBCluster",
                "rds:DeleteDBInstance",
                "rds:DeleteDBParameterGroup",
                "rds:DeleteDBSubnetGroup",
                "rds:DescribeDBClusters",
                "rds:DescribeDBInstances",
                "rds:DescribeDBParameterGroups",
                "rds:DescribeDBParameters",
                "rds:DescribeDBSubnetGroups",
                "rds:DescribeGlobalClusters",
                "rds:ListTagsForResource",
                "rds:ModifyDBInstance",
                "rds:ModifyDBParameterGroup",
                "rds:StartDBCluster",
                "rds:StartDBInstance",
                "rds:StopDBCluster",
                "rds:StopDBInstance",
                "s3:CreateBucket",
                "s3:DeleteBucket",
                "s3:DeleteObject",
                "s3:DeleteObjectVersion",
                "s3:DeleteBucketPolicy",
                "s3:GetAccelerateConfiguration",
                "s3:GetBucketAcl",
                "s3:GetBucketCORS",
                "s3:GetBucketLogging",
                "s3:GetBucketObjectLockConfiguration",
                "s3:GetBucketOwnershipControls",
                "s3:GetBucketPolicy",
                "s3:GetBucketPublicAccessBlock",
                "s3:GetBucketRequestPayment",
                "s3:GetBucketTagging",
                "s3:GetBucketVersioning",
                "s3:GetBucketWebsite",
                "s3:GetEncryptionConfiguration",
                "s3:GetLifecycleConfiguration",
                "s3:GetObject",
                "s3:GetReplicationConfiguration",
                "s3:ListAccessPoints",
                "s3:ListAllMyBuckets",
                "s3:ListBucket",
                "s3:ListBucketMultipartUploads",
                "s3:ListBucketVersions",
                "s3:ListMultiRegionAccessPoints",
                "s3:ListMultipartUploadParts",
                "s3:ListStorageLensConfigurations",
                "s3:PutBucketAcl",
                "s3:PutBucketOwnershipControls",
                "s3:PutBucketPolicy",
                "s3:PutBucketPublicAccessBlock",
                "s3:PutBucketTagging",
                "s3:PutBucketVersioning",
                "s3:PutEncryptionConfiguration",
                "s3:PutLifecycleConfiguration",
                "s3:PutObject",
                "s3:PutObjectRetention",
                "secretsmanager:CreateSecret",
                "secretsmanager:TagResource",
                "sts:GetCallerIdentity"
            ],
            "Resource": "*"
        }
    ]
}

Regions

Qovery supports the following AWS regions:

	name	description	supported
🇺🇸	us-west-2	US West (Oregon)	Yes
🇺🇸	us-east-2	US East (Ohio)	Yes
🇺🇸	us-east-1	US East (N. Virginia)	Yes
🇺🇸	us-west-1	US West (N. California)	No (Only 2 Availability Zone)
🇿🇦	af-south-1	Africa (Cape Town)	Yes
🇭🇰	ap-east-1	Asia Pacific (Hong Kong)	Yes
🇮🇳	ap-south-1	Asia Pacific (Mumbai)	Yes
🇯🇵	ap-northeast-1	Asia Pacific (Tokyo)	Yes
🇰🇷	ap-northeast-2	Asia Pacific (Seoul)	Yes
🇯🇵	ap-northeast-3	Asia Pacific (Osaka)	Yes
🇸🇬	ap-southeast-1	Asia Pacific (Singapore)	Yes
🇦🇺	ap-southeast-2	Asia Pacific (Sydney)	Yes
🇨🇦	ca-central-1	Canada (Toronto)	Yes
🇨🇳	cn-north-1	China (Beijing)	Yes
🇨🇳	cn-northwest-1	China (Ningxia)	Yes
🇩🇪	eu-central-1	Europe (Frankfurt)	Yes
🇮🇪	eu-west-1	Europe (Ireland)	Yes
🏴󠁧󠁢󠁥󠁮󠁧󠁿	eu-west-2	Europe (London)	Yes
🇫🇷	eu-west-3	Europe (Paris)	Yes
🇮🇹	eu-south-1	Europe (Milan)	Yes
🇸🇪	eu-north-1	Europe (Stockholm)	Yes
🇧🇭	me-south-1	Middle East (Bahrain)	Yes
🇧🇷	sa-east-1	South America (São Paulo)	Yes

Qovery supports regions where Amazon EKS is supported.

Manually configure VPC subnet

VPC subnet is automatically defined by Qovery on cluster creation. However, you may want to choose your own VPC subnet, for example to perform VPC Peering.

If you want to perform VPC Peering with Qovery, please refer to our guide VPC Peering with Qovery to be assisted step by step.

Have a look at [this section][docs.using-qovery.configuration.clusters#custom-vpc-subnet]] to know more on how to set the VPC Subnet.

Configure routing table

You may want to create and edit a network routing table to perform VPC peering. This can be done by accessing to the parameters of a cluster, in the settings of your organization.

If you want to perform VPC Peering with Qovery, please refer to our guide VPC Peering with Qovery to be assisted step by step.

Have a look at [this section][docs.using-qovery.configuration.clusters#network]] to know more on how to set the routing table.

How Qovery works on AWS

Qovery is an abstraction layer on top of AWS and Kubernetes. Qovery manages the configuration of AWS account, and helps you to deploy production ready apps in seconds. To make it works, Qovery rely on Kubernetes for stateless apps (containers), and AWS for stateful apps (databases, storage...).

Read more on how Qovery works behind the scene.

Kubernetes

The first time you set up your AWS account, Qovery creates a Kubernetes cluster in your chosen region. Qovery managed it for you - no action required. It takes ~15 minutes to configure and bootstrap a Kubernetes cluster. Once bootstrapped, your Kubernetes cluster runs the Qovery app and is ready to deploy your applications.

Managed services

AWS provides managed services for PostgreSQL, MySQL, Redis, MongoDB. Qovery gives you access to those services when you set the environment mode to Production. In Development mode, Qovery provides containers equivalent, which is cheaper and faster to start.

Security and compliance

Qovery runs your Kubernetes cluster and is autonomous to manage your applications, which means:

• Your configuration are stored on your AWS account.
• Your configuration is encrypted on your AWS account.
• Qovery can't access to your data.
• Suppose Qovery stops to run, your applications are not impacted.

FAQ

How to choose a region?

Different datacenters are located in different geographic areas, and you may want to keep your site physically close to the bulk of your user base for reduced latency.

I don't find a region that is provided by AWS

We are probably testing the support of this region, please contact us to know what's the status

Migrate between Cloud providers and regions

Today, you can't migrate an environment from one region to another after it has been created. Vote here if you need this feature.