Since early October a new SAS Viya QuickStart has been made available for Google Cloud Platform.
This tool is a great fit if you want to quickly deploy a "ready to use" SAS Viya 3.4 environment in the Google Cloud Platform without having to go through the process of Cloud provisioning (choosing machines, storage, load-balancers, configuring networks, firewall rules, etc...) and Viya pre-requisite and deployment.
Read carefully the README file provided in the GitHub project and after some configuration, you can provision and deploy a full Viya environment in GCP by running a single command in the Google SDK command-line.
Select any image to see a larger version.
Mobile users: To view the images, select the "Full" version at the bottom of the page.
If you want to better understand how the QuickStart works and learn from real hands-on experience, keep on reading...:)
As it turned out to be a longer article than expected, here is a table of content below that you can use to jump directly to the topic of your interest:
There are many ways to automate the provisioning and deployment of an application or a Software in the Google Cloud Platform (aka GCP).
One can use automation tools which have connectors to Cloud provider (such as ansible) or specialized IaaC (Infrastructure as a code) tools such as Terraform.
But what we provide in the QuickStart is a "Google Deployment Template" for the Google Deployment Manager which is the official way to go and is documented by Google.
This GitHub project is the main source of instructions and documentation for the Viya Quick Start: https://github.com/sassoftware/quickstart-sas-viya-gcp
Let's have a look at the architecture, pre-requisites and see what it takes to use the QuickStart to deploy and run Viya in the Google Cloud Platform.
The diagram below comes from the GitHub project README file.
The QuickStart creates the GCP infrastructure for you. The QuickStart focuses on a subset of the Viya offerings and available topologies available to customers who have licensed SAS:
The deployment also includes a local openLDAP server (Instructions are provided to create new users). Post-deployment instructions are provided to:
It is also important to note that currently, there is no single point and click license agreement with Google & SAS, for running SAS Viya in GCP. Therefore, there is no contractual support from Google. And whoever uses the QuickStart is responsible for the costs of the GCP resources that are consumed by its deployment.
During our tests, we discovered that there was an additional level of requirement relating to the GCP account. This relates to the IAM role.
The service account XXXXXXXXXXXX@cloudservices.gserviceaccount.com, associated to the GCP project, needs to have the "Project IAM Admin" role.
This role is required to allow the necessary privileges to execute the "setIamPolicy" command that is used by the QuickStart template.
The user account you are using to do that (like firstname.lastname@example.org) needs to have the "Owner role" on the Google Cloud project. So, for a customer it is someone who likely plays the role of the administrator of the project.
The deployment process, itself is straight forward:
1) Grab a "jumphost" machine from where you can install git then the GCP SDK (gcloud commands) and configure it to work with a Google Cloud Project (the "jumphost" can be your own laptop, a VM or a container running on your laptop or a machine in Openstack)
2) Clone the "Viya for GCP QuickStart" project from GitHub
git clone https://github.com/sassoftware/quickstart-sas-viya-gc
3) Edit a few settings in a configuration file (instance size, GCP Zone ,etc...)
4) Run a single command to deploy the template.
Then wait 1 to 2 hours and BADABOUM! You have a brand new Viya deployment up and running in the Google Cloud!
Looks nice and easy, right?
But...as with other deployments, the need to pay attention to the detail is critical.
Well...behind these 4 simple steps, there are some instructions that might not appear so clear if you are new to the Google Cloud Platform. For example, you might have missed or misunderstood one of the values required in the configuration or maybe you did not know how to prepare the deployment data file in the GCS bucket, or your deployment was successful but you are not able to open the "SAS Logon" page, because you made a mistake in the Ingress rules definitions...hopefully the next section will be helpful.
To run a Viya platform in GCP, you need to make a license file available for it, right?
For that you must make the license available in the Google Storage services, called "Google Cloud Storage" (equivalent of S3 in AWS).
In the GCP console, find the Storage service and click on "Browser".
Just click on "Create Bucket", give it a name.
Then, in this new bucket, you can upload the "SAS_Data_Deployment.zip" file that is attached to your Software Order Email confirmation (which contains the license itself).
Finally, if you click on the uploaded file, you can see the URI.
Of course, you could automate all these steps by simply running a few Google SDK commands (like
Copy the URI value. This is what you will need in the configuration file (for the
This is the most important step for the GCP quick start. If it is correctly set, then there should not be any issue with your deployment. Let's have a look as this file.
The README file has a nice table which provides some help to understand what we are supposed to provide for the configuration variables.
However, some parameters involve a little more work than others.
Although it does not appear in the above Configuration table, you also need to provide the GCP deployment zone.
If you leave the default value (GCP_ZONE), the deployment will fail.
The QuickStart creates a Bastion machine in GCP from which you can orchestrate the other machines.
If you don't have one already, create a key-pair with a command like this:
ssh-keygen -q -t rsa -N '' -f ~/.ssh/frapovqs
The command creates 2 files in your ".ssh" folder: frarpovqs and frarpovqs.pub which respectively contain the private and the public key.
The public key needs to be configured in the GCP VM (and the QuickStart does it for you) so you can connect with SSH using the private key as your credential.
We need to copy the content of the .pub file and set it as the value of the SSHPublicKey varaiable in the configuration file, it should look like in the example below:
SSHPublicKey: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDY9wbxpRk19YwPtjYJOyyRlrUwDR9WiVLRD/obbY887JpPd5DDSsgdy4/t+KVUu8x8Ma8XiXG7aeP6iAr+kXmnag7/Gn1cFd4AbjUmjaoWNZIg3tsCWiWt2xo14nSzu980Py3VvXX8/mu681bLQfA7MdjlroAMDI4y2xWneldJhPELe02HrQHNtT/5feWiPDfmgdD+0AdjfyF/eFDna3TFXjkp5tVRrSnLf46IIzHwntTLawBiG/DSBs45G7r31AbEqT7Yaiz1pn48CbD5qzddNhQXFlmTvUnAJgzMJpvZuIXaRc6WDm45wPMSGphR8zpddPgrG8eMpQKOHxsO/7xH email@example.com
Make sure the value is on one single line.
It corresponds to the "SAS_Data_Deployment.zip" file that we placed. We need to provide the URI of the file in GCS.
These parameters allow the opening or restriction of network access from the outside to the environment that gets deployed in GCP.
As an example, here are the values I used:
AdminIngressLocation: 22.214.171.124/32 # Allow inbound HTTP(S) traffic to the Web Server from this CIDR block (IP address range). Must be a valid IP CIDR range of the form x.x.x.x/x. WebIngressLocation: 126.96.36.199/32
As I used the range "32", it means that only the specified IP address can can connect to the Bastion host in GCP.
[centos@frarpo-jumphost ~]$ curl https://www.whatismyip.org/ | grep "Your IP" % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0<h3 class="text-center global-ip"><strong>Your IP:</strong> <a href="/my-ip-address">188.8.131.52</a></h3> 100 36377 0 36377 0 0 74097 0 --:--:-- --:--:-- --:--:-- 74087
If you are not so comfortable with the CIDR IP range notation (with the "/") you can use this handy calculator: https://mxtoolbox.com/subnetcalculator.aspx# to understand how many IP addresses correspond to a specific CIDR IP range.
Once everything is ready in the configuration file, just run the magic command:
gcloud deployment-manager deployments create frarpo-deployment --config ~/gcpquickstart/quickstart-sas-viya-gcp/templates/sas-viya-config.yaml --async
When you run this command, after 2 seconds you see:
The fingerprint of the deployment is iayJnj_Es9_eA-hP0D9raQ== NAME TYPE STATUS TARGET ERRORS WARNINGS operation-1572527013070-596347a03863e-7c1fc568-999c9dff insert RUNNING frarpo-deployment   [centos@frarpo-jumphost ~]
If it is the first time you do it, it's worth monitoring the deployment...because it may fail (see below for my own troubleshooting experience). If you are confident and did it before with success, you can go for a walk and come back 1 or 2 hours later.
You can monitor what's going on with the GCP web console:
You can click on it to have more details on the deployment progress from the Google cloud perspective.
Now if you want to see deployment logs from a Viya perspective, follow the instructions in the README file to select the ansible controller VM and see the "Serial port 1" log:
The README file provides some Troubleshooting guidelines.
Here is a little feedback from my own troubleshooting experience...As many people have said "learning from failures is the best way to learn"
Click on the link provided in the error message:
And enable it.
Another issue that I faced was related to missing privileges for the service account.
After adding the right role or privilege to the GCP project service account ("Project IAM Admin" role" as explained in the pre-requisite section), the issue was resolved.
A successful deployment will look like this:
Note: The warnings come from the fact that the OS image used by the QuickStart has been fixed to a specific version to avoid a known issue (http://support.sas.com/kb/64/703.html) of Viya 3.4 and specific versions of systemd in Linux.
As explained in the GitHub README you can find the IP address to access your newly deployed environment by browsing in the GCP console (Network Services then Load-balancing, advanced view)
Assuming you have the correct information, you should be able to login with the sasadmin account and see something like:
Otherwise you will see something like:
This error likely means that the network security configuration (created by the Viya QuickStart deployment) does not allow you to access the load balancer.
In such case, go in the "Network Security", then "Cloud Armor" and check if the access rule match with your local IP address, like below:
Check out https://www.whatismyip.com/ if you are not sure what your IP address is).
Finally, you can also access though ssh, from your jumphost machine with the sasinstall account to the ansible controller machine, like:
ssh -i ~/.ssh/frapovqs firstname.lastname@example.org
There is a parameter for it in the configuration file (otherwise the ansible controller will instruct GCP VMs to download the SAS packages from the SAS Hosted repository machines on Internet)
An openLDAP server is installed as part of the QuickStart deployment, the Viya service GCP VM will get the OpenLDAP playbook (thanks to Erwan Granger) from https://github.com/sassoftware/quickstart-sas-viya-common and run it to deploy and configure openLDAP and also SSSD.
However, the environment could then be configured to point to a real LDAP server (such as the customer corporate Active Directory server) as long it is available from the GCP VPC network.
The README file provides instructions on how to add new users.
When you run the single command to perform the deployment in GCP, you don't need to specify explicitly state your Google account and Google project, because it is already configured in the Google SDK configuration.
But if you are working with multiple Google projects, you have to be careful because you need to point to the project where you plan to deploy Viya.
Show current project:
gcloud config get-value core/project sas-gelsandbox
gcloud config set project sas-gelsandbox Updated property [core/project].
List VM instances in the current project:
gcloud compute instances list
The great thing with the Google Deployment Manager is that all the resources created by a deployment are considered as a single entity, the "deployment" object. So if we want to get rid of the deployed environment and all associated resources (network, load-balancer, accounts, etc...) it is very easy, you just need to run a command like:
gcloud deployment-manager deployments delete frarpo-deployment
The QuickStart is great to quickly stand-up a pre-defined Viya environment in GCP with the proper cloud provisioning (service accounts, machines, networks, load-balancer).
Once you have used it, you can save some "cloud money" by removing it (and all associated resources) as easily as you created it and then whenever you need it again, recreate it with the same single command.
As it is provided as free source code in GitHub, the QuickStart can also be a great baseline for anyone who would like to extend it for more complex deployments or to build its own Viya IaaC framework.
Many thanks to Dante Bergamasco for his help and support in the write up of this article.
Thanks for reading!
Registration is open! SAS is returning to Vegas for an AI and analytics experience like no other! Whether you're an executive, manager, end user or SAS partner, SAS Innovate is designed for everyone on your team. Register for just $495 by 12/31/2023.
If you are interested in speaking, there is still time to submit a session idea. More details are posted on the website.
Data Literacy is for all, even absolute beginners. Jump on board with this free e-learning and boost your career prospects.