Pardon our mess! We are busy building up docs for our beta users.

Contact us if you need any help getting started, or have any questions at [email protected]

AWS Credentials

Amazon Web Services is the premier provider of serverless application hosting. If you do not already have an AWS account, you can create an account to get started.

Functional Fleet deploys your serverless application to your AWS account so that you have complete control over the running application. This enables you to link to other services in your AWS account and customize individual components.

In order to deploy to your AWS account, you must provide AWS Credentials for each Service that you create.

AWS provides free resources to help you get started. All accounts receive 1,000,000 free lambda executions per month, among other features. New accounts receive even more free resources for the first 12 months!

Visit the AWS Free services page for a complete listing of all of the free resources. Many applications will not cost anything if they stay within these limits.

Credentials

There are 3 values Functional Fleet requires in order to operate correctly with your IAM user:

  1. ARN - This is AWS internal name for your IAM user. It looks something like arn:aws:iam::123456789012:user/ffleet.
  2. Access key ID - This is sort of like the "username" of your IAM user. Along with the "password", this grants access to the user.
  3. Secret access Key - This is sort of like the "password" for your IAM user.

These 3 values must all be entered into Functional Fleet when creating a service for correct operation. The values can be changed later, but must be provided to create a service. There is a fourth parameter that Functional Fleet requires to create Credentials -- name -- which is not tied to any AWS IAM value. This is an internal identifier that Functional Fleet uses to organize credentials. Enter any value here that you will remember later.

IAM

AWS provides an authentication mechanism called Identity Access Management (IAM) which allows you to create many different users within your account and apply very fined grained access controls to each user. Functional Fleet requires an IAM user with "Programmatic Access" and a certain set of authorizations for full compatibility.

We would encourage you to make a new AWS account for each Service that you create. This will help to isolate environments from one another, and limit the scope of IAM user access.

A side benefit is that all new AWS accounts receive the 12 month free tier benefits!

Create IAM User

Follow the steps below to create a new IAM user for you Functional Fleet service.

  1. Login to your AWS account and navigate to the IAM tool.

  2. Click on the "Users" tab in the left navigation bar.

  3. Click the "Add User" button at the top of the page.

  4. Enter a name for the new User account. Choose any valid name.

  5. Select the "Programmatic access" checkbox".

  6. Click the "Next: Permissions" button.

  7. Select the "Attach existing policies directly" box.

  8. Click the "Create policy" button.

  9. In the new window, click the "JSON" tab.

  10. Copy and paste the policy template from below into the box on the page.

  11. Click "Review policy"

  12. Choose a name for the new policy, such as ffleet-policy.

  13. Click "Create policy".

  14. Return to the previous window where you were creating the user. Above the list of policies, click the refresh button to reload the list.

  15. Find the policy that you just created in the list. You can use the filter box at the top of the list to enter the name of the policy, such as ffleet-policy. If you cannot find the policy in the list, make sure it was created successfully and that the list was updated according to step 14.

  16. Select the checkbox next to the policy in the list that you have just created.

  17. Click the "Next: Review" button.

  18. Click the "Create user" button.

  19. You have now created an IAM user, but do not navigate away from this page before making a note of the "Access key ID" and "Secret access key". Click the "Show" link to reveal the full Secret access key. These values are necessary to enter into the Functional Fleet Service Credential management tool.

  20. Once you have noted the two values from step 19, click "Close".

  21. Find the name of the user that you just created, and click on the name.

  22. On the user page, near the top of the page is a value labeled "User ARN". Make a note of this complete value. There is a small button to the right that directly copies the value to your clipboard.

  23. That's it! You now have the 3 values necessary to create Credentials on Functional Fleet.

User Policy

User authorization credentials are required for Functional Fleet to deploy and monitor your service within your account. The IAM service within AWS allows you to specify fine-grained user access controls.

Functional Fleet is adding new features frequently, which causes this list to change. Keep checking this list while we are in Beta to keep up-to-date.
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "acm:*",
        "apigateway:*",
        "cloudformation:*",
        "cloudfront:*",
        "cloudwatch:*",
        "events:*",
        "execute-api:*",
        "kms:*",
        "lambda:*",
        "logs:*",
        "s3:*",
        "sns:*",
        "sqs:*"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}

Create IAM Role

An IAM Role is required to execute your Lambda functions. A role is used by your application resources, whereas a user is used to provision the application resources. A role also has no username and password, and is limited to execution by the resources in your account.

We recommend enabling Lambda AdministratorAccess permissions to simplify the creation process. For power users, you are welcome to limit the functionality to only what your application requires. For supreme power users, each function can have an independent execution role so that you can limit permissions to exactly what that function requires.

  1. Login to your AWS account and navigate to the IAM tool.

  2. Click on the "Roles" tab in the left navigation bar.

  3. Click the "Create role" button.

  4. Select the large "Lambda" box from the service list.

  5. Click the "Next: Permissions" button.

  6. Select the "AdministratorAccess" policy from the list.

  7. Click the "Next: Review" button.

  8. Enter a name for your role, such as lambda-role.

  9. Click the "Create role" button.

  10. You will be returned to the list of all roles. Find the role you just create in the list, and click on its name.

  11. Near the top of the page is a value labeled "Role ARN". Copy this value. There is a small button on the right that will copy the value to your clipboard. This is the role identifier that you will need to enter into your configuration.

  12. That's it! You have created an execution role, and have the ARN value to enter into the config file.