Comment on page
AWS
Deployment instructions for NannyML Cloud on AWS
NannyML Cloud is available on the AWS marketplace as a helm chart that can be installed on a Kubernetes cluster. This page provides deployment instructions and describes configuration options for customizing your NannyML Cloud instance.
Before deploying NannyML Cloud, you will need to prepare:
- Node size is free to choose, but we recommend 2 nodes using t3.large or t3a.large instance as minimum.
- The cluster can be shared with other applications if desired.
- The databases used by NannyML Cloud are run inside of the cluster. Data is persisted in Elastic Block Storage.
Just want to try things out using the default configuration? Use our quick start instructions to set up a cluster.
To access NannyML Cloud, you will need to subscribe to one of our offers on the AWS marketplace. Currently we provide two offers:
- NannyML Cloud Trial: NannyML Cloud configured to use a 30-day pro trial license. It is free to subscribe and use, but once the trial license expires you will need to purchase a license to continue using the software.
- NannyML Cloud: NannyML Cloud using a contract license model. To subscribe you need to purchase a license in the AWS marketplace.
To get started, click the Continue to Subscribe button on the offer of your choice.
Subscription page on AWS Marketplace
If you've opted for the NannyML Cloud offer with free trial, you can skip this step. Otherwise you will be shown a contract page where you can configure your license by specifying the number of units you want to purchase:
- Pro license: the license required to run NannyML Cloud. One license is required for each instance of NannyML Cloud you want to run. See our pricing table to understand what's included.
- Extra models: the pro license includes capacity for monitoring 10 models. If you want to monitor more models, enter the number of additional model monitoring licenses you want to purchase. These licenses are floating, meaning if you have 2 NannyML Cloud instances, they can both use the available licenses as models are added to the application.
Don't know yet how many models you will need? Don't fret, you can always come back and edit your license in the AWS marketplace or add a new license contract.
We advise to renew your license automatically every month. Should you choose not to, your NannyML Cloud instances will stop working when the licenses expire. You can then purchase a new license to restore your existing NannyML Cloud instances.
Contract page on AWS Marketplace
Pricing displayed above is for demonstration purposes. Consult our pricing table for actual pricing.
Select the Helm chart option for NannyML Cloud and find the software version you wish to use. We recommend using the latest version available for the best user experience. Then follow the instructions in launching the software to create your NannyML Cloud instance.
Configuration page on the AWS Marketplace
To deploy NannyML Cloud from AWS Marketplace, you need to create a Kubernetes service account with appropriate IAM permissions for communicating with AWS License Manager. When launching the software it will attempt to acquire a license from AWS on start-up. In case no license is available, the software will fail to start.
To set up the service account you'll need to execute these steps:
- Create an IAM role with AWS-managed IAM policy.
- Create a K8s service account named
nannyml-cloud-service-accountin your Amazon EKS cluster. - Set up a trust relationship between the created IAM role with
nannyml-cloud-service-account. - Modify
nannyml-cloud-service-accountannotation to associate it with the created IAM role.
Your Amazon EKS cluster needs to have an IAM OIDC provider enabled to associate a Kubernetes service account with an IAM role. If you've installed the Amazon EBS CSI driver prerequisite this should already be enabled. See Creating an IAM OIDC provider for your cluster for more information.
We recommend doing this via eksctl. The command below automates these steps ( remember to replace the placeholder with your actual Amazon EKS cluster name).
⚠
eksctl create iamserviceaccount \
--name nannyml-cloud-service-account \
--namespace nannyml-cloud \
--cluster <ENTER_YOUR_CLUSTER_NAME_HERE> \
--attach-policy-arn arn:aws:iam::aws:policy/service-role/AWSLicenseManagerConsumptionPolicy \
--approve \
--override-existing-serviceaccounts
Define which version you would like to install. The list of available versions can be found on the configure step in AWS Marketplace. We recommend installing the latest available version for the best user experience.
export NANNYML_CLOUD_VERSION=0.4.0
Login to grant helm access to the images hosted on AWS Marketplace, then pull the appropriate image.
NannyML Cloud (paid license)
NannyML Cloud Trial
aws ecr get-login-password \
--region us-east-1 | helm registry login \
--username AWS \
--password-stdin 709825985650.dkr.ecr.us-east-1.amazonaws.com
helm pull oci://709825985650.dkr.ecr.us-east-1.amazonaws.com/nannyml/nannyml-cloud/nannyml-cloud-operator-aws \
--version ${NANNYML_CLOUD_VERSION}
aws ecr get-login-password \
--region us-east-1 | helm registry login \
--username AWS \
--password-stdin 709825985650.dkr.ecr.us-east-1.amazonaws.com
helm pull oci://709825985650.dkr.ecr.us-east-1.amazonaws.com/nannyml/nannyml-cloud-trial/nannyml-cloud-operator-aws-trial \
--version ${NANNYML_CLOUD_VERSION}
NannyML Cloud provides various options to configure your instance, for example how you want users to authenticate.
Configuration is done using a helm values (YAML) file. We provide a template here that you can use to configure your instance. To use a specific configuration, uncomment that section and insert the required values as indicated in the comments.
To get started, copy the contents below and save it locally as
nannyml-cloud-config.yaml, then edit any settings as desired. nannyml-cloud-config.yaml
operator:
app:
spec:
## This section configures how users should authenticate
## If you want to disable authentication entirely, leave the auth section empty (the default)
# auth:
## OIDC authentication
## This allows logging in using organisation accounts backed by an identity provider, e.g. Microsoft or Google.
## To use OIDC authentication you will need to register the NannyML Cloud application with your identity provider.
## When going through the registration process you should find values for the audience, issuer and authority fields.
# oidc:
# audience: application registration id goes here, e.g. aaff04f6-0632-4ae4-91e2-4e5465ca1902
# issuer: oidc issuer goes here, e.g. https://sts.windows.net/b530fdce-6959-4e64-8413-46ed10d2ac03/
# authority: oidc authority goes here, e.g. https://login.microsoftonline.com/b530fdce-6959-4e64-8413-46ed10d2ac03/
## Local authentication
## This allows logging in using accounts that are contained within the application.
## You can define a list of account credentials here that can then be used to log into the application.
# local:
# key: enter random long string here to be used as encryption key, 32 characters min recommended
# users:
# - email: [email protected]
# password: secretpassword1
# - email: [email protected]
# password: secretpassword2
## Defines the accepted size limit for local file uploads
# upload_size_limit: 100m
## Configures the URL where the application expects to be accessed
## We use this to configure the ingress and will attempt to get a certificate from Let's Encrypt using a HTTP01 challenge.
## However, you will need to make a DNS registration so that the URL points at the appropriate AWS elastic load balancer.
## If you do not provide a hostname, we'll use a self-signed certificate to enable HTTPS on the ELB URL assigned by AWS.
# hostname: hosting url goes here
## Defines the service account to be used for communicating with AWS
## Should match the name used when creating the AWS IAM role
server:
serviceAccountName: nannyml-cloud-service-account
Currently we only support Microsoft Azure for OIDC authentication. There are slight discrepancies with other identity providers which result in authentication errors.
We'll update this section once we support other identity providers. If this is important to you, let us know!
Deploy NannyML Cloud using the following command:
NannyML Cloud (paid license)
NannyML Cloud Trial
helm upgrade -i nannyml-cloud nannyml-cloud-operator-aws-${NANNYML_CLOUD_VERSION}.tgz \
--namespace nannyml-cloud \
--create-namespace \
-f nannyml-cloud-config.yaml
helm upgrade -i nannyml-cloud nannyml-cloud-operator-aws-trial-${NANNYML_CLOUD_VERSION}.tgz \
--namespace nannyml-cloud \
--create-namespace \
-f nannyml-cloud-config.yaml
It usually takes around 2 minutes for the helm command to complete. When completed the kubernetes cluster will spin up all the required containers and allocate block storage on AWS. It will take another 2-3 minutes for the NannyML Cloud instance to be fully operational.
If you opted to purchase a license for NannyML Cloud, it will already be active and you can skip this step. If you're using a trial license, the license is issued to you when the software is first deployed. It needs to be accepted in the AWS environment before it can be used.
Access the list of licenses granted to your account on AWS License Manager. You should see a license for NannyML Cloud issued by NannyML as shown in the screenshot below. When the license is newly issued, it will be in
Pending acceptance status.
Granted trial license in AWS License Manager
It may take a few minutes for the license to become available as it is granted when your NannyML Cloud instance has started.
Click the License ID column to view details for the license. Next click the Accept & activate license button in the top right and follow the instructions in the pop-up to activate your trial license.
Trial license details
The trial license comes with a few limitations:
- Only one trial license is allowed per account. Once it has expired, you will need to purchase a license.
- Delaying the license activation does not change the expiration date. It will expire 30 days from when it was issued, regardless of activation.
- Only one NannyML Cloud instance can be active at a time. When purchasing a license, you can opt to buy multiple pro licenses, enabling multiple instances.
Your NannyML Cloud instance should now be active on your EKS cluster. It is automatically exposed using an Amazon ELB (Elastic Load Balancer) with a dynamically generated URL. Run the command below to identify the ELB URL for your instance.
kubectl get ingress nannyml-cloud-ingress \
-n nannyml-cloud \
-o=jsonpath={.status.loadBalancer.ingress[0].hostname}
Access the application at the returned URL, e.g. https://a424a15820a2e40b9b2395b54299d674-444730227.eu-central-1.elb.amazonaws.com/
When accessing the dynamically generated URL you may see a security warning such as shown below. This is expected because the application is using a self-signed certificate for that URL. You can proceed to the application by bypassing the warning in your browser.
⚠
Security warning when accessing application using self-signed certificate
Unfortunately we cannot get a certificate from a certificate authority for these URL's as they are ephemeral. If you were to shut down your NannyML Cloud instance, AWS may assign that URL to someone else. If you had received a certificate for it, you would now hold a certificate to someone else's website which is of course undesired.
The solution to this issue is setting a
hostname in step 3 when configuring your NannyML Cloud instance. With a URL you control we can obtain a certificate from Let's Encrypt and have a secure HTTPS setup.If you've configured a hostname for the application in step 3, you should now set up a DNS
CNAME record to direct the configured URL to the ELB URL.NannyML Cloud supports reading datasets directly from S3. To use this feature we recommend granting the IAM role associated with NannyML Cloud access to the S3 buckets containing your data. This will allow NannyML Cloud to access the S3 buckets you specify without having to provide access keys at runtime.
You can use the IAM policy below as a template for granting read access to specific S3 buckets. This example grants read-only access to the
datasets bucket.{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["s3:ListBucket"],
"Resource": ["arn:aws:s3:::datasets"]
},
{
"Effect": "Allow",
"Action": ["s3:GetObject"],
"Resource": ["arn:aws:s3:::datasets/*"]
}
]
}
You would add this permission to the IAM role associated with your NannyML Cloud instance, e.g. via the IAM portal. Please refer to the AWS documentation about creating IAM policies and attaching IAM permissions for more information.
If the IAM role was created using the command in Step 1: Create an AWS IAM role and Kubernetes service account, the role would be named
eksctl-<cluster name>-addon-iamserviceacc-Role1-<random suffix>.When your (trial) license expires your NannyML Cloud instance will shut down. All data will be preserved and remain unchanged from the moment the license expires. You will then need to purchase a new license for your AWS account to restore operation.
Subscribe to the NannyML Cloud offer on the AWS Marketplace, then follow the instructions to configure a new license. Once an appropriate license is available in your AWS account, your existing NannyML Cloud instance will recover and become available again. Re-deploying using instructions for the paid NannyML Cloud offer is possible, but not required as the software contained in both offers will behave identical.
Last modified 1d ago