Before You Begin: Set Up Your AWS Account And User

Read this article if you intend to sign up for or are in the process of signing up for an Engine Yard account using the “Bring your own AWS Account” option.

This article describes:

Your servers are deployed on your AWS account. Engine Yard requires that you share one set of AWS user credentials for this purpose.

Before you can create and deploy an App on Engine Yard cloud, you need to have an AWS account and you need to create an IAM user with administrator permissions (as is described below).

To prepare an AWS account for use with Engine Yard Cloud.

  1. If you do not have an AWS account, create one at

  2. If you do have an older AWS account, make sure that it has the following services associated with it: KMS, RDS, SNS, SQS, EC2, ELB, S3, and CloudWatch. Subscribe to any missing services by browsing to those services in the AWS console. (For KMS, navigate to the Identity & Access Management dashboard and click Encryption Keys to subscribe to the Key Management service. For ELB, navigate to the EC2 Dashboard and select Load Balancers.)

  3. Using Identity & Access Management service, create a new group (e.g. EYAdminGroup) and attach the AdministratorAccess policy to the group.

    For more information about creating IAM groups and users, see the AWS documentation.

  4. Create a new IAM user (e.g. ey_user) and add the user to the group you created in step 3 above.

  5. When you create the user, download the User security credentials.

Understand how Engine Yard uses your AWS account

Why do I have to create an IAM user?

All Engine Yard cloud servers are deployed on AWS with your existing account. In order to create these clusters, you need to give Engine Yard the access key credentials for an IAM user with admin privileges.

What are “access key” credentials?

AWS enables user creation within an account, and the access key and secret key are analogous to username/password. After you create a user on AWS, store the access key and secret key in a secure place and enter those values on the Engine Yard platform. These credentials are treated with utmost security.

What are you doing with these credentials?

Engine Yard configures the proper IAM users and groups in the account to enable our services.

The IAM user needs admin privileges to ensure Engine Yard can appropriately provision and de-provision servers as you interact with them from the Engine Yard UI. To ensure separation from the rest of your AWS activities, Engine Yard) creates three additional users and security groups within AWS to delegate responsibilities and to enable our services.

Users created by Engine Yard:

  • ey-account-admin
  • ey-instance
  • ey-support

Groups created by Engine Yard:

  • EY-Cloud-Admin
  • EY-Cloud-Instance

After you connect your AWS account, Engine Yard does not require the user or group that you created in Steps 3 and 4 above. In fact, if you want, you can delete these. However, do not delete any of the users or groups created by Engine Yard.

What about my current services running on AWS?

Submitting a set of AWS credentials to Engine Yard does not affect any services you directly provision on AWS.

Change AWS accounts

After you have used Engine Yard for a while, there are reasons why you might want to associate a different AWS account with your Engine Yard account.

You need to delete your environments running on the original AWS account before changing to a different account.

To change AWS accounts for your Engine Yard account

  1. Delete all environments from your Engine Yard Cloud account.
  2. From the Engine Yard Cloud dashboard, click Account -> Account Settings.
  3. Click Manage AWS Account.
  4. Click Delete AWS Credentials
  5. Provide credentials for the new AWS account that you want to use. Make sure that the new AWS account has been prepared for use with Engine Yard.


Article is closed for comments.