AWS Setup
This setup is only required if you need to provision and manage Rumi private clouds in AWS. If you're only working with local deployments, you can skip this section.
Overview
To deploy Rumi private clouds in AWS, you'll need:
AWS credentials with appropriate permissions
The AWS CLI v2 installed on your machine
An AWS CLI profile configured for the Rumi CLI to use
Your AWS Account: Rumi uses your own AWS account and credentials. You maintain full control over your AWS infrastructure, resources, and costs. Rumi never has access to your AWS credentials or account.
AWS Authentication Methods
The Rumi CLI supports multiple AWS authentication methods. You can use whichever method best fits your organization's security policies:
IAM User Credentials (Access Key ID and Secret Access Key) - Most common for individual developers
IAM Identity Center (SSO) - For organizations using centralized identity management
Cross-Account Roles - For accessing AWS accounts across organizational boundaries
EC2 Instance Profiles - For running the CLI from EC2 instances
Other AWS credential chain methods - Any method supported by the AWS SDK
This guide focuses on the most common method: IAM User Credentials. For other authentication methods, consult the AWS CLI Configuration Documentation.
Install the AWS CLI
Install the AWS CLI v2 by following the official installation guide:
Verify AWS CLI Installation
After installation, verify the AWS CLI is available:
You should see output similar to:
Configure Your AWS Profile (IAM User Method)
This section covers the most common authentication method: IAM user credentials.
Prerequisites
You'll need AWS credentials with specific permissions to provision and manage Rumi private clouds.
Required AWS Permissions:
The following IAM policy grants the necessary permissions:
These permissions are used for:
EC2 (including VPC) - Creating and managing virtual machines, networking (VPCs, subnets, security groups), and storage volumes for the private cloud infrastructure
Route53 - Managing DNS records for private cloud endpoints
Getting Credentials:
Your AWS administrator should:
Create an IAM user for you (or assign you an IAM Identity Center user)
Attach the policy above to your user or role
Generate access credentials (Access Key ID and Secret Access Key for IAM users)
Provide you with the credentials
You'll need:
AWS Access Key ID
AWS Secret Access Key
Create an AWS Profile
Open a terminal and run the following command to create a profile for Rumi:
You'll be prompted to enter your credentials and preferences:
You can use any profile name (not just "rumi"). You'll specify the profile name when provisioning private clouds with the --profile parameter.
Region Selection:
Choose the AWS region where you want to provision Rumi private clouds
Common choices:
us-east-1,us-west-2,eu-west-1You can override the default region per deployment using the
--regionparameter
Verify Your Profile
Test that your profile is configured correctly by running:
You should see output similar to:
If you see this output with your user information, your AWS profile is set up correctly.
Setup complete! You're now ready to provision and manage Rumi private clouds in AWS using the Rumi CLI.
Using IAM Identity Center (SSO)
If your organization uses AWS IAM Identity Center (formerly AWS SSO), you can configure SSO authentication instead of using IAM user credentials.
Configure SSO Profile
Follow the prompts to:
Enter your SSO start URL
Choose your SSO region
Authenticate via your browser
Select the AWS account and role
Name your profile (e.g., "rumi-sso")
Use SSO Profile with Rumi CLI
When provisioning, specify your SSO profile:
Important: Before running Rumi CLI commands, ensure your SSO session is active:
Multiple Profiles
You can configure multiple AWS profiles for different accounts or roles:
When provisioning, specify which profile to use:
Troubleshooting
Profile Not Found Error
If you receive a "profile not found" error when running commands, verify your profile exists:
You should see your profile name (e.g., rumi) in the list.
Permission Denied Errors
If you encounter permission errors when provisioning private clouds:
Verify your credentials are valid:
Check your IAM user has the required permissions:
Your AWS administrator should verify that the IAM policy shown in the Prerequisites section is attached to your user or role
Required permissions:
ec2:*androute53:*
Contact your AWS administrator to verify and attach the necessary permissions
Credential Expiration (SSO/Temporary Credentials)
If using IAM Identity Center or temporary credentials and you see authentication errors:
Region Not Available
If you receive errors about services not being available in your region:
Verify the region supports the required AWS services
Try a different region (e.g.,
us-east-1)Override region when provisioning:
Security Best Practices
Credential Storage
AWS credentials are stored in
~/.aws/credentialsThis file should have restricted permissions:
chmod 600 ~/.aws/credentialsNever commit this file to version control
Credential Rotation
Regularly rotate your IAM user access keys
If using temporary credentials (SSO, assumed roles), they expire automatically
Monitor AWS CloudTrail for unauthorized API calls
Least Privilege
Request only the minimum AWS permissions needed for Rumi private cloud deployments
Use separate credentials for development vs production deployments
Consider using IAM roles with time-limited access
Multi-Factor Authentication (MFA)
Enable MFA on your IAM user for additional security
If MFA is required, you'll need to use temporary credentials:
Next Steps
Now that your AWS access is configured:
Return to installation — Complete CLI setup in Installation
Learn about private clouds — Read Cloud Commands to understand Rumi's private cloud model
Browse commands — See CLI Commands for detailed command reference
Last updated: 2025-01-04
Last updated