2025.2 RC installation on AWS

Immuta Manual Installation Guide (2025.2.X)

This guide provides step-by-step instructions for manually deploying Immuta 2025.2.X to a Kubernetes cluster

Prerequisites

AWS CLI configured with appropriate IAM permissions for EKS, RDS, and IAM operations
kubectl installed and configured
Helm 3 installed
Standard Unix utilities: envsubst, uuidgen, curl
Access to the target Kubernetes cluster
Required secrets and credentials (see Variables section)
immutactl binary (download link to be provided by Immuta support)

Required Variables

Before starting, set these environment variables or note them for use in commands:

# Required inputs
export NAMESPACE="your-namespace"              # e.g., lf-rc-12345 (dash-case)
export DB_PREFIX="your_db_prefix"             # e.g., lf_rc_12345 (snake_case)
export CHART_VERSION="2025.2.0-rc.2"         # Immuta Helm chart version
export CHART_CHANNEL="unstable"              # stable or unstable
export FLOW_RELAY_BUCKET="your-unique-bucket-name" # S3 bucket for Flow Relay (must be globally unique)

# AWS Configuration
export AWS_ACCOUNT_ID="931788537711"
export AWS_REGION="us-east-1"
export CLUSTER_NAME="cs-support-env"
export RDS_HOST="immuta-support.ci6mpw1cd1j3.us-east-1.rds.amazonaws.com"
export OIDC_PROVIDER="oidc.eks.us-east-1.amazonaws.com/id/188A72A9F52282D01124D4A86BB09289"
export IMMUTA_DOMAIN="your-domain.com"              # Replace with your actual domain

# Derived variables
export DB_PREFIX_DASH="$NAMESPACE"

# Required secrets (replace with actual values)
export IMMUTA_REGISTRY_USERNAME="your-registry-username"
export IMMUTA_REGISTRY_PASSWORD="your-registry-password"
export POSTGRES_ADMIN_PASSWORD="your-postgres-admin-password"
export IMMUTA_DB_PASSWORD="your-immuta-db-password"

Required Files

The following files need to be created locally before beginning the installation. Copy each file content to the specified path:

1. IAM Policy Templates

templates/trust-policy-template.json

{
    "Version": "2012-10-17",
    "Statement": [
      {
        "Effect": "Allow",
        "Principal": {
          "Federated": "arn:aws:iam::${AWS_ACCOUNT_ID}:oidc-provider/${OIDC_PROVIDER}"
        },
        "Action": "sts:AssumeRoleWithWebIdentity",
        "Condition": {
          "StringLike": {
            "${OIDC_PROVIDER}:sub": "system:serviceaccount:${NAMESPACE}:immuta-*"
          },
          "StringEquals": {
            "${OIDC_PROVIDER}:aud": "sts.amazonaws.com"
          }
        }
      }
    ]
  }

templates/s3-access-policy-template.json

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:AbortMultipartUpload",
        "s3:GetBucketLocation",
        "s3:GetObject",
        "s3:ListBucket",
        "s3:ListAllMyBuckets",
        "s3:ListMultipartUploadParts",
        "s3:PutObject"
      ],
      "Resource": [
        "arn:aws:s3:::${FLOW_RELAY_BUCKET}",
        "arn:aws:s3:::${FLOW_RELAY_BUCKET}/*"
      ]
    }
  ]
}

templates/lakeformation-policy-template.json

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "glue:GetDatabase",
        "glue:GetTables",
        "glue:GetDatabases",
        "glue:GetTable",
        "lakeformation:ListPermissions",
        "lakeformation:BatchGrantPermissions",
        "lakeformation:BatchRevokePermissions",
        "lakeformation:CreateLFTag",
        "lakeformation:UpdateLFTag",
        "lakeformation:DeleteLFTag",
        "lakeformation:AddLFTagsToResource",
        "lakeformation:RemoveLFTagsFromResource",
        "lakeformation:GetResourceLFTags",
        "lakeformation:ListLFTags",
        "lakeformation:GetLFTag",
        "lakeformation:SearchTablesByLFTags",
        "lakeformation:SearchDatabasesByLFTags"
      ],
      "Resource": "*"
    }
  ]
}

2. Helm Values Files

es-values.yaml

master:
    masterOnly: false
    replicaCount: 1

data:
    replicaCount: 0

coordinating:
    replicaCount: 0

ingest:
    replicaCount: 0

immuta-values.yaml

global:
  imageRegistry: ocir.immuta.com
  imagePullSecrets:
    - name: immuta-oci-registry
  featureFlags:
    dsia: true
    dsiaDatabricksUnityCatalog: true
    dsiaFrontend: true
    dsiaFrontendRegistrationSettings: true
    dsiaGlue: true
    nativeS3Integration: true
    policyWorkflowServiceSync: true
  tenantId: "${TENANT_ID}"
  postgresql:
    host: "${RDS_HOST}"
    port: 5432
    username: "${DB_PREFIX_UNDERSCORE}"
    password: "${IMMUTA_DB_PASSWORD}"
  flowRelay:
    store: s3
    storeRegion: "${AWS_REGION}"
    storeBucket: "${FLOW_RELAY_BUCKET}"
    storePrefix: "${DB_PREFIX_DASH}"

audit:
  config:
    elasticsearchEndpoint: http://es-db-elasticsearch.${NAMESPACE}.svc.cluster.local:9200
  postgresql:
    database: "${DB_PREFIX_UNDERSCORE}_immuta"

secure:
  serviceAccount:
    create: true
    name: immuta-secure
    annotations:
      eks.amazonaws.com/role-arn: arn:aws:iam::${AWS_ACCOUNT_ID}:role/${DB_PREFIX_DASH}-immuta-irsa
  postgresql:
    ssl: true
    database: "${DB_PREFIX_UNDERSCORE}_immuta"
  extraConfig:
    publicImmutaUrl: "https://${IMMUTA_DOMAIN}"
    schedule:
      policyWorkflowServiceSync: '*/1 * * * *'
  extraEnvVars:
    - name: NODE_DEBUG
      value: http

gateway:
  ingress:
    enabled: true
    hostname: "${IMMUTA_DOMAIN}"
    annotations:
      alb.ingress.kubernetes.io/backend-protocol: HTTP
      alb.ingress.kubernetes.io/group.name: immuta-support
      alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS":443}]'
      alb.ingress.kubernetes.io/scheme: internet-facing
      alb.ingress.kubernetes.io/ssl-redirect: "443"
      alb.ingress.kubernetes.io/target-type: ip
    ingressClassName: alb
    tls: true

temporal:
  enabled: true
  server:
    extraVolumes:
      - name: secret-with-certs
        secret:
          secretName: secret-with-certs
    extraVolumeMounts:
      - name: secret-with-certs
        mountPath: /certs/
    config:
      persistence:
        default:
          sql:
            database: "${DB_PREFIX_UNDERSCORE}_temporal"
            tls:
              caFile: /certs/global-bundle.pem
              enabled: true
        visibility:
          sql:
            database: "${DB_PREFIX_UNDERSCORE}_temporal_visibility"
            tls:
              caFile: /certs/global-bundle.pem
              enabled: true

now:
  postgresql:
    database: "${DB_PREFIX_UNDERSCORE}_immuta"
    params:
      schema: now
      sslmode: no-verify
  serviceAccount:
    name: immuta-now
    annotations:
      eks.amazonaws.com/role-arn: arn:aws:iam::${AWS_ACCOUNT_ID}:role/${DB_PREFIX_DASH}-immuta-irsa

policy:
  serviceAccount:
    name: immuta-policy
    annotations:
      eks.amazonaws.com/role-arn: arn:aws:iam::${AWS_ACCOUNT_ID}:role/${DB_PREFIX_DASH}-immuta-irsa

3. Setup Script

Create the required directory structure and files:

# Create directory structure
mkdir -p templates

# Copy each file content above into the respective paths
# For example:
# cat > templates/trust-policy-template.json << 'EOF'
# [paste content here]
# EOF

Note: The envsubst and uuidgen commands are used in the installation steps. Ensure these utilities are available on your system.

Step 1: Setup immutactl

Download and install the immutactl binary:

# Download immutactl binary (replace with actual download URL provided by Immuta support)
# curl -LO https://your-download-url/immutactl-linux

# Install immutactl
sudo mv ./immutactl-linux /usr/local/bin/immutactl
sudo chmod +x /usr/local/bin/immutactl

# Verify installation
immutactl

Note: Contact Immuta support for the correct download URL for the immutactl binary.

Step 2: Create S3 Bucket

Create the S3 bucket for Flow Relay storage:

# Create the S3 bucket
aws s3 mb s3://${FLOW_RELAY_BUCKET} --region ${AWS_REGION}

# Verify bucket creation
aws s3 ls s3://${FLOW_RELAY_BUCKET}

Note: S3 bucket names must be globally unique. If the bucket creation fails, choose a different name for FLOW_RELAY_BUCKET.

Step 3: Create IAM Roles and Policies

Create the necessary IAM role and policies for IRSA:

ROLE_NAME="${DB_PREFIX_DASH}-immuta-irsa"
S3_POLICY_NAME="${ROLE_NAME}-policy"
TRUST_POLICY_FILE="trust-policy.json"
IAM_POLICY_FILE="s3-access-policy.json"
LAKEFORMATION_POLICY_FILE="lakeformation-policy.json"

# Render trust policy from template using envsubst
envsubst < templates/trust-policy-template.json > $TRUST_POLICY_FILE
echo "----- trust-policy.json -----"
cat $TRUST_POLICY_FILE

# Render IAM policy for flowRelay from template using envsubst
envsubst < templates/s3-access-policy-template.json > $IAM_POLICY_FILE
echo "----- s3-access-policy.json -----"
cat $IAM_POLICY_FILE

# Render Lake Formation policy from template using envsubst
envsubst < templates/lakeformation-policy-template.json > $LAKEFORMATION_POLICY_FILE
echo "----- lakeformation-policy.json -----"
cat $LAKEFORMATION_POLICY_FILE

# Create the IAM policy
S3_POLICY_ARN=$(aws iam create-policy --policy-name "$S3_POLICY_NAME" --policy-document file://$IAM_POLICY_FILE --query 'Policy.Arn' --output text)

# Create the Lake Formation policy
LAKEFORMATION_POLICY_ARN=$(aws iam create-policy --policy-name "${ROLE_NAME}-lakeformation-policy" --policy-document file://$LAKEFORMATION_POLICY_FILE --query 'Policy.Arn' --output text)

# Create the IAM role
aws iam create-role --role-name "$ROLE_NAME" --assume-role-policy-document file://$TRUST_POLICY_FILE

# Attach the policies to the role
aws iam attach-role-policy --role-name "$ROLE_NAME" --policy-arn "$S3_POLICY_ARN"
aws iam attach-role-policy --role-name "$ROLE_NAME" --policy-arn "$LAKEFORMATION_POLICY_ARN"

Step 3: Create IAM Roles and Policies

Create the necessary IAM role and policies for IRSA:

ROLE_NAME="${DB_PREFIX_DASH}-immuta-irsa"
S3_POLICY_NAME="${ROLE_NAME}-policy"
TRUST_POLICY_FILE="trust-policy.json"
IAM_POLICY_FILE="s3-access-policy.json"
LAKEFORMATION_POLICY_FILE="lakeformation-policy.json"

# Render trust policy from template using envsubst
envsubst < templates/trust-policy-template.json > $TRUST_POLICY_FILE
echo "----- trust-policy.json -----"
cat $TRUST_POLICY_FILE

# Render IAM policy for flowRelay from template using envsubst
envsubst < templates/s3-access-policy-template.json > $IAM_POLICY_FILE
echo "----- s3-access-policy.json -----"
cat $IAM_POLICY_FILE

# Render Lake Formation policy from template using envsubst
envsubst < templates/lakeformation-policy-template.json > $LAKEFORMATION_POLICY_FILE
echo "----- lakeformation-policy.json -----"
cat $LAKEFORMATION_POLICY_FILE

# Create the IAM policy
S3_POLICY_ARN=$(aws iam create-policy --policy-name "$S3_POLICY_NAME" --policy-document file://$IAM_POLICY_FILE --query 'Policy.Arn' --output text)

# Create the Lake Formation policy
LAKEFORMATION_POLICY_ARN=$(aws iam create-policy --policy-name "${ROLE_NAME}-lakeformation-policy" --policy-document file://$LAKEFORMATION_POLICY_FILE --query 'Policy.Arn' --output text)

# Create the IAM role
aws iam create-role --role-name "$ROLE_NAME" --assume-role-policy-document file://$TRUST_POLICY_FILE

# Attach the policies to the role
aws iam attach-role-policy --role-name "$ROLE_NAME" --policy-arn "$S3_POLICY_ARN"
aws iam attach-role-policy --role-name "$ROLE_NAME" --policy-arn "$LAKEFORMATION_POLICY_ARN"

Step 4: Configure Kubernetes Access

Update your kubeconfig to access the target cluster:

aws eks --region $AWS_REGION update-kubeconfig --name $CLUSTER_NAME

Step 5: Create and Configure Namespace

Create the Kubernetes namespace and apply labels:

# Create namespace
kubectl create namespace $NAMESPACE

# Label namespace
kubectl label namespace $NAMESPACE purpose=upgrade-test owner=manual-deployment --overwrite

Step 6: Create Registry Pull Secret

Create the Docker registry secret for pulling Immuta images:

kubectl create secret -n $NAMESPACE docker-registry immuta-oci-registry \
  --docker-server=https://ocir.immuta.com \
  --docker-username=$IMMUTA_REGISTRY_USERNAME \
  --docker-password=$IMMUTA_REGISTRY_PASSWORD \
  [email protected]

Step 7: Deploy Elasticsearch

Deploy Elasticsearch using Helm:

helm install --namespace $NAMESPACE es-db oci://registry-1.docker.io/bitnamicharts/elasticsearch --values es-values.yaml

Step 8: Create PostgreSQL Databases

Create the required PostgreSQL databases using immutactl:

immutactl postgres --host "$RDS_HOST" \
                   --prefix $DB_PREFIX \
                   --immuta-role $DB_PREFIX \
                   --admin-role rds_superuser \
                   --admin-password "$POSTGRES_ADMIN_PASSWORD" \
                   --immuta-password $IMMUTA_DB_PASSWORD

Step 9: Prepare Helm Values

Prepare the Helm values file and generate required values:

# Generate tenantId
export TENANT_ID=$(uuidgen)

# Render final Helm values
export DB_PREFIX_UNDERSCORE="${DB_PREFIX}"
export DB_PREFIX_DASH="${DB_PREFIX_DASH}"
export IMMUTA_DB_PASSWORD="${IMMUTA_DB_PASSWORD}"
export RDS_HOST="${RDS_HOST}"
export NAMESPACE="${NAMESPACE}"
export TENANT_ID="${TENANT_ID}"
export IMMUTA_DOMAIN="${IMMUTA_DOMAIN}"

envsubst < immuta-values.yaml > rendered-immuta-values.yaml

Step 10: Review Rendered Values

Review the rendered Helm values before deployment:

echo "=== Rendered Immuta Values ==="
cat rendered-immuta-values.yaml

Step 11: Add RDS Certificate Bundle

Add the RDS global certificate bundle as a Kubernetes secret:

# Download the RDS global bundle
curl -o global-bundle.pem https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem

# Create the secret
kubectl -n "$NAMESPACE" create secret generic secret-with-certs \
  --from-file=global-bundle.pem \
  --dry-run=client -o yaml | kubectl apply -f -

Step 12: Deploy Immuta

Deploy Immuta using Helm:

# Login to Immuta registry
helm registry login ocir.immuta.com \
  --username "$IMMUTA_REGISTRY_USERNAME" \
  --password "$IMMUTA_REGISTRY_PASSWORD"

# Deploy Immuta
helm upgrade --install immuta oci://ocir.immuta.com/${CHART_CHANNEL}/immuta-enterprise \
  -n "$NAMESPACE" \
  --version $CHART_VERSION \
  -f rendered-immuta-values.yaml

Step 13: Wait for Deployment Completion

Wait for all Immuta deployments to become ready:

for deploy in $(kubectl get deploy -n "$NAMESPACE" -o jsonpath='{.items[*].metadata.name}' | tr ' ' '\n' | grep '^immuta-'); do
  echo "Waiting for deployment $deploy to be ready..."
  kubectl rollout status deployment/$deploy -n "$NAMESPACE" --timeout=300s || true
done

Verification

After deployment completes, verify the installation:

# Check all pods are running
kubectl get pods -n $NAMESPACE

# Check ingress is created
kubectl get ingress -n $NAMESPACE

# Get the ALB DNS name for your domain configuration
kubectl get ingress -n $NAMESPACE -o jsonpath='{.items[0].status.loadBalancer.ingress[0].hostname}'

Note: You'll need to configure your DNS to point ${IMMUTA_DOMAIN} to the ALB hostname before accessing the Immuta UI.

Troubleshooting

DNS Configuration

Since this manual installation doesn't include the automated DNS setup, you'll need to:

Configure your domain's DNS to point ${IMMUTA_DOMAIN} to your ALB
Get the ALB DNS name using: kubectl get ingress -n $NAMESPACE
Create a CNAME record pointing your domain to the ALB DNS name

Common Issues

Pod Not Starting: Check pod logs using kubectl logs -n $NAMESPACE <pod-name>
ImagePullBackOff: Verify registry credentials and secret creation
Database Connection Issues: Confirm RDS host accessibility and credentials
Helm Deployment Failures: Check Helm values rendering and template syntax

Useful Commands

# Check pod status
kubectl get pods -n $NAMESPACE

# View pod logs
kubectl logs -n $NAMESPACE <pod-name>

# Check services
kubectl get svc -n $NAMESPACE

# Check ingress
kubectl get ingress -n $NAMESPACE

# Describe a resource for more details
kubectl describe <resource-type> <resource-name> -n $NAMESPACE

Cleanup

To remove the deployment:

# Uninstall Helm releases
helm uninstall immuta -n $NAMESPACE
helm uninstall es-db -n $NAMESPACE

# Delete namespace
kubectl delete namespace $NAMESPACE

# Clean up IAM resources
aws iam detach-role-policy --role-name "${DB_PREFIX_DASH}-immuta-irsa" --policy-arn "$S3_POLICY_ARN"
aws iam detach-role-policy --role-name "${DB_PREFIX_DASH}-immuta-irsa" --policy-arn "$LAKEFORMATION_POLICY_ARN"
aws iam delete-role --role-name "${DB_PREFIX_DASH}-immuta-irsa"
aws iam delete-policy --policy-arn "$S3_POLICY_ARN"
aws iam delete-policy --policy-arn "$LAKEFORMATION_POLICY_ARN"

# Clean up S3 bucket (WARNING: This will delete all data in the bucket)
aws s3 rm s3://${FLOW_RELAY_BUCKET} --recursive
aws s3 rb s3://${FLOW_RELAY_BUCKET}

PreviousCopy of Okta Attribute Mapping

Last updated 6 months ago