Deploying Gel to AWS
We recomend using our helm chart to deploy gel on AWS EKS. The CloudFormation guide below does not configure TLS certificates correctly.
In this guide we show how to deploy Gel on AWS using Amazon Aurora and Elastic Container Service.
Gel Cloud: Reset the default password for the admin role
If you want to dump an existing Gel Cloud instance and restore it to a new self-managed instance, you need to change the automatically generated password for the default admin role - edgedb or admin.
The administrator role name and its password used in the dump/restore process must be the same in both the instance dumped from and the instance restored to for the Gel tooling to continue functioning properly.
To change the default password in the Cloud instance, execute the following query in the instance:
ALTER ROLE admin { set password := 'new_password' };Prerequisites
-
AWS account with billing enabled (or a free trial)
-
(optional)
awsCLI (install)
Quick Install with CloudFormation
We maintain a CloudFormation template for easy automated deployment of Gel in your AWS account. The template deploys Gel to a new ECS service and connects it to a newly provisioned Aurora PostgreSQL cluster. The created instance has a public IP address with TLS configured and is protected by a password you provide.
CloudFormation Web Portal
Click here to start the deployment process using CloudFormation portal and follow the prompts. You'll be prompted to provide a value for the following parameters:
-
DockerImage: defaults to the latest version (geldata/gel), or you can specify a particular tag from the ones published to Docker Hub. -
InstanceName: ⚠️ Due to limitations with AWS, this must be 22 characters or less! -
SuperUserPassword: this will be used as the password for the new Gel instance. Keep track of the value you provide.
Once the deployment is complete, follow these steps to find the host name that has been assigned to your Gel instance:
-
Open the AWS Console and navigate to CloudFormation > Stacks. Click on the newly created Stack.
-
Wait for the status to read
CREATE_COMPLETE—it can take 15 minutes or more. -
Once deployment is complete, click the
Outputstab. The value ofPublicHostnameis the hostname at which your Gel instance is publicly available. -
Copy the hostname and run the following command to open a REPL to your instance.
Copy$
gel --dsn gel://admin:<password>@<hostname> --tls-security insecureGel x.x Type \help for help, \quit to quit. gel>
To make changes to your Gel deployment like upgrading the Gel version or
enabling the UI you can follow the CloudFormation
Updating a stack instructions. Search for
ContainerDefinitions in the template and you will find where Gel's
environment variables are
defined. To upgrade the Gel version specify a
docker image tag with the image name geldata/gel in the
second step of the update workflow.
CloudFormation CLI
Alternatively, if you prefer to use AWS CLI, run the following command in your terminal:
$
aws cloudformation create-stack \
--stack-name Gel \
--template-url \
https://gel-deployment.s3.us-east-2.amazonaws.com/gel-aurora.yml \
--capabilities CAPABILITY_NAMED_IAM \
--parameters ParameterKey=SuperUserPassword,ParameterValue=<password>Connecting your application
To connect your application to the Gel instance, you'll need to provide connection parameters. Gel client libraries can be configured using either a DSN (connection string) or individual environment variables.
Obtaining connection parameters
Your connection requires the following components:
-
Host: The
PublicHostnamevalue from the CloudFormation Stack'sOutputstab. -
Port:
5656(the default Gel port) -
Username:
admin(the default superuser) -
Password: The
SuperUserPasswordyou specified during deployment -
Branch:
main(the default branch)
Construct the DSN using these values:
$
GEL_DSN="gel://admin:<password>@<hostname>:5656"Obtaining the TLS certificate
The CloudFormation template does not configure TLS certificates correctly.
We recommend using --tls-security insecure for testing, but for
production you should use our helm chart or configure
TLS manually.
To connect securely, your application needs the server's TLS certificate. For self-signed certificates, you can retrieve the certificate by connecting to the instance and extracting it:
$
gel --dsn $GEL_DSN --tls-security insecure \
query "SELECT sys::get_tls_certificate()"Store this certificate and provide it to your application via the
GEL_TLS_CA or GEL_TLS_CA_FILE environment variable.
Using in your application
Set these environment variables where you deploy your application:
GEL_DSN="gel://admin:<password>@<hostname>:5656"
# For self-signed certificates:
GEL_CLIENT_TLS_SECURITY=insecure
# Or with a proper TLS certificate:
GEL_TLS_CA="<certificate content>"Gel's client libraries will automatically read these environment variables.
Local development with the CLI
To make your remote instance easier to work with during local development,
create an alias using gel instance link.
The command groups gel instance and gel project are not
intended to manage production instances.
$
gel instance link \
--dsn $GEL_DSN \
--non-interactive \
--trust-tls-cert \
my_aws_instanceYou can now refer to the remote instance using the alias my_aws_instance.
Use this alias wherever an instance name is expected:
$
gel -I my_aws_instanceGel x.x Type \help for help, \quit to quit. gel>
Or apply migrations:
$
gel -I my_aws_instance migrateHealth Checks
Using an HTTP client, you can perform health checks to monitor the status of your Gel instance. Learn how to use them with our health checks guide.
