Technical Reference
Last updated
Was this helpful?
Last updated
Was this helpful?
Quilt is a versioned data portal for AWS. A Quilt instance is a private portal that runs in your virtual private cloud (VPC). Each instance consists of a password-protected web catalog on your domain, backend services, a secure server to manage user identities, and a Python API.
We encourage users to contact us before deploying Quilt. We will make sure that you have the latest version of Quilt, and walk you through the CloudFormation deployment.
We recommend that all users do one or more of the following:
to guide you through the installation
to ask questions and connect with other users
You will need the following:
An AWS account
IAM Permissions to run the CloudFormation template (or Add products in Service Catalog). The AdministratorAccess policy is sufficient. (Quilt creates and manages a VPC, containers, S3 buckets, a database, and more.) If you wish to create a service role for the installation, visit IAM > Roles > Create Role > AWS service > CloudFormation in the AWS console. The following service role is equivalent to AdministratorAccess:
The ability to create DNS entries, such as CNAME records, for your company's domain.
An SSL certificate in the same region as your Quilt instance to secure the domain where your users will access your Quilt instance. For example, to make your Quilt catalog available at https://quilt.mycompany.com, you require a certificate for *.mycompany.com in the . You may either , or .
For maximum security, Quilt requires a region that supports . As of this writing, all U.S. regions support Fargate.
An S3 Bucket for your team data. This may be a new or existing bucket. The bucket should not have any notifications attached to it (S3 Console > Bucket > Properties > Events). Quilt will need to install its own notifications. Installing Quilt will modify the following Bucket characteristics:
Permissions > CORS configuration (will be modified for secure web access)
Properties > Versioning (will be enabled)
Properties > Object-level logging (will be enabled)
Properties > Events (will add one notification)
A subdomain that is as yet not mapped in DNS where users will access Quilt on the web. For example quilt.mycompany.com.
Available CloudTrail Trails in the region where you wish to host your stack ().
An active subscription to Quilt Business on AWS Marketplace. Click Continue to Subscribe on the to subscribe then return to this page for installation instructions. The CloudFormation template and instructions on AWS Marketplace are infrequently updated and may be missing critical bugfixes.
Click the service catalog link that you received from Quilt. Arrive at the Service Catalog. Click IMPORT, lower right.
Navigate to Admin > Portfolios list > Imported Portfolios. Click Quilt Enterprise.
On the Portfolio details page, click ADD USER, GROUP OR ROLE. Add any users, including yourself, whom you would like to be able to install Quilt.
Click Products list, upper left. Click the menu to the left of Quilt CloudFormation Template. Click Launch product. (In the future, use the same menu to upgrade Quilt when a new version is released.)
Service Catalog users, skip this step. Under Stack creation options, enable termination protection.
This protects the stack from accidental deletion. Click Next.
Service Catalog users, skip this step. Check the box asking you to acknowledge that CloudFormation may create IAM roles, then click Create.
CloudFormation takes about 30 minutes to create the resources for your stack. You may monitor progress under Events. Once the stack is complete, you will see CREATE_COMPLETE as the Status for your CloudFormation stack.
To finish the installation, you will want to view the stack Outputs.
In a separate browser window, open the DNS settings for your domain. Create the following CNAME records. Replace italics with the corresponding stack Outputs.
CNAME
Value
QuiltWebHost Key
LoadBalancerDNSName
RegistryHostName Key
LoadBalancerDNSName
S3ProxyHost Key
LoadBalancerDNSName
Quilt is now up and running. You can click on the QuiltWebHost value in Outputs and log in with your administrator password to invite users.
The default Quilt settings are adequate for most use cases. The following section covers advanced customization options.
In the template menu (CloudFormation or Service Catalog), select Google under User authentication to Quilt. Enter the domain or domains of your Google apps account under SingleSignOnDomains. Enter the Client ID of the OAuth 2.0 credentials you created into the field labeled GoogleClientId
These instructions document how to set up an existing role for use with Quilt. If the role you want to use doesn't exist yet, create it now.
Go to your Quilt stack in CloudFormation. Go to Outputs, then find RegistryRoleARN and copy its value. It should look something like this: arn:aws:iam::000000000000:role/stackname-ecsTaskExecutionRole.
Go to the IAM console and navigate to Roles. Select the role you want to use. Go to the Trust Relationships tab for the role, and select Edit Trust Relationship. The statement might look something like this:
Add an object to the beginning of the Statement array with the following contents:
Note the comma after the object. Your trust relationship should now look something like this:
You can now configure a Quilt Role with this role (using the Catalog's admin panel, or quilt3.admin.create_role).
You can install Quilt via AWS Marketplace. As indicated above, we recommend that you .
Email with your AWS account ID to request access to Quilt through the AWS Service Catalog and to obtain a license key.
Continue to the section. Note: the following screenshots may differ slightly fromm what you see in Service Catalog.
Specify stack details in the form of a stack name and CloudFormation parameters. Refer to the descriptions displayed above each text box for further details. Service Catalog users require a license key. See for how to obtain a license key.
You can enable users on your Google domain to sign in to Quilt. Refer to and create authorization credentials to identify your Quilt stack to Google's OAuth 2.0 server.
