BYOC Setup (AWS)
Deploy LaserData-managed clusters in your own AWS account
BYOC (Bring Your Own Cloud) lets LaserData manage your Apache Iggy deployment while the infrastructure runs in your AWS account. You keep full data sovereignty and pay your own AWS bill.
Prerequisites
- An AWS account
- A VPC in the target region (the default VPC works)
- BYOC enabled on your subscription (Pro and Enterprise plans)
Step 1: Generate BYOC Setup
From the Console, initiate a BYOC deployment and select your target cloud and region. The platform generates:
- An IAM trust policy — allows LaserData to assume a role in your account
- An IAM permissions policy — scoped to the resources LaserData needs to manage
- An external ID — a unique identifier that prevents confused deputy attacks
Step 2: Create IAM Role
In your AWS account:
- Go to IAM → Roles → Create role
- Select Custom trust policy
- Paste the trust policy provided by LaserData
- Create a new policy with the permissions policy provided by LaserData
- Attach the policy to the role
- Name the role (e.g.
LaserDataByocRole) - Copy the Role ARN
Using AWS CLI
aws iam create-role \
--role-name LaserDataByocRole \
--assume-role-policy-document file://trust-policy.json
aws iam put-role-policy \
--role-name LaserDataByocRole \
--policy-name LaserDataByocPermissions \
--policy-document file://permissions-policy.jsonStep 3: Complete Deployment
Provide your AWS Account ID, Role ARN, and the external ID back in the Console. LaserData then:
- Assumes the IAM role in your account via STS
- Creates a subnet within your VPC (finds a free CIDR automatically)
- Sets up security groups, route tables, and internet gateway (if needed)
- Launches EC2 instances with Elastic IPs
- Deploys Warden agents that connect outbound to the control plane
IAM Scope
The IAM role grants LaserData permissions for:
| Category | Operations |
|---|---|
| EC2 | Launch, terminate, start, stop, describe instances |
| Networking | VPC, subnets, security groups, route tables, internet gateways, NAT gateways, elastic IPs |
| EBS | Create, delete, attach volumes and snapshots |
| Load Balancing | Create and manage NLBs and target groups |
| IAM | Create LaserNode-* roles (for Replica cluster fencing only) |
Not included: No S3, no Secrets Manager, no CloudWatch, no SSM. LaserData has no access to your application data or secrets.
Cleanup
When you delete a BYOC deployment, LaserData:
- Terminates EC2 instances
- Releases Elastic IPs
- Deletes security groups, subnets, and route tables
- Removes IAM instance profiles and roles created for the deployment
Internet gateways are not deleted as they may be shared with other resources.
API Reference
Validate BYOC Credentials
curl -X POST https://api.laserdata.cloud/tenants/{tenant_id}/divisions/{division_id}/environments/{environment_id}/byoc/validate \
-H "ld-api-key: YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"cloud": "aws",
"region": "us-east-1",
"account_id": "123456789012",
"identity_arn": "arn:aws:iam::123456789012:role/LaserDataByocRole",
"external_id": "unique-external-id-123",
"vpc_id": "vpc-12345678"
}'Generate BYOC Setup
curl -X POST https://api.laserdata.cloud/tenants/{tenant_id}/divisions/{division_id}/environments/{environment_id}/deployments/byoc/setup \
-H "ld-api-key: YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"cloud": "aws",
"region": "us-east-1"
}'