Broker survival guide
IP addresses
37.218.242.175
2a00:c6c0:0:154:4:d8aa:b4e6:c89fSSH fingerprints
RSA: 3072 SHA256:rvKw6QleY2arxnM1SDVK/sbrHtM4s3QUT8C8UdwnHUo
ECDSA: 256 SHA256:58+L8TIvge80wI2N7IeLBEqfAiOJ+KgxLsYhpaKSbAQ
ED25519: 256 SHA256:1Jkdhvq2lDSCgjQu5z3RV3BSvt+XdW2C3rV7JvIvpqc
The broker is managed by systemd. To upgrade the broker:
machinectl shell --uid=webappcp ~/new-broker ~/.config/broker/broker-
systemctl restart --user broker.serviceLogs are managed by systemd, access it withjournalctl --user -u broker.service.
SQS Rendezvous Deployment
The broker's SQS rendezvous method requires the creation of private credentials for the broker, and public credentials to distribute to clients.
Broker credentials
The broker's credentials are stored in .home/snowflake-broker/.aws/credentials on the Snowflake broker machine. These can be generated by creating a new IAM User and attaching a policy for the necessary SQS actions.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sqs:ReceiveMessage",
"sqs:CreateQueue",
"sqs:SendMessage",
"sqs:DeleteMessage",
"sqs:DeleteQueue",
"sqs:GetQueueURL",
"sqs:ListQueues",
"sqs:GetQueueAttributes"
],
"Resource": "*"
}
]
}Client credentials
Snowflake clients need access to fewer actions than the broker in order to use SQS rendezvous. The policy attached to this IAM user should also be more restrictive about which queues a client can perform each action on. Clients should be able to write to the broker's SQS queue, but not read from it. But they should be able to read from the queue the broker creates for them.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "SQSRead",
"Effect": "Allow",
"Action": [
"sqs:ReceiveMessage",
"sqs:GetQueueURL"
],
"Resource": "arn:aws:sqs:*:[account id]:snowflake-client-*"
},
{
"Sid": "SQSWrite",
"Effect": "Allow",
"Action": [
"sqs:SendMessage"
],
"Resource": "arn:aws:sqs:*:[account id]:snowflake-broker"
}
]
}