IAM Role Setup for Installation into AWS

If using the IAM role method to define access for an Avi Vantage installation in Amazon Web Services (AWS), use the steps in this article to set up the IAM roles before beginning deployment of the Avi Controller EC2 instance.

IAM Role Name Policy Name Description Required
vmimport
vmimport-role-trust.json
vmimport
vmimport-role-policy.json
Allows Avi SE VM to be imported into AWS. Without this IAM role, the Avi SE cannot be launched. This role is associated with the AWS account (not with the Avi Controller). Yes
AviController-Refined-Role
avicontroller-role-trust.json
AviController-EC2-Policy
avicontroller-role-policy.json
Allows Avi Controller instance to be installed. Yes
AviController-R53-Policy
avicontroller-role-r53-policy.json
Allows access to the AWS cloud's DNS. No

IAM Role Setup for Avi Vantage Installation into AWS

To begin, download the readme and the JSON files for the IAM role and policies onto a host that has the AWS CLI.

Then use one of the following workflows to set up the IAM roles:

Using the CLI

The AWS CLI will need to be run from the same directory where you save the files.

Step 1. Create the VM Import Service Role

Use the following commands to create a role name “vmimport” with the required permission.


aws iam create-role --role-name vmimport --assume-role-policy-document file://vmimport-role-trust.json
aws iam put-role-policy --role-name vmimport --policy-name vmimport --policy-document file://vmimport-role-policy.json

Step 2. Create the required policies for the Avi Controller role

AviController-Refined-Role is the role which will be attached to the Avi Controller via the instance profile. Follow the below commands.


aws iam create-role --role-name AviController-Refined-Role --assume-role-policy-document file://avicontroller-role-trust.json
aws iam create-policy --policy-name AviController-EC2-Policy --policy-document file://avicontroller-role-policy.json
aws iam create-policy --policy-name AviController-R53-Policy --policy-document file://avicontroller-role-r53-policy.json

Step 3. Attach Policies to the Avi Controller role

Once the policies (AviController-EC2-Policy, AviController-R53-Policy, AviController-IAM-Policy, e.t.c) are created (in Step-2), attach them to the AviController-Refined-Role.


aws iam attach-role-policy --role-name AviController-Refined-Role --policy-arn "arn:aws:iam::123456789012:policy/AviController-EC2-Policy"
aws iam attach-role-policy --role-name AviController-Refined-Role --policy-arn "arn:aws:iam::123456789012:policy/AviController-R53-Policy"

Step 4. Create instance profile and apply this instance profile to EC2 role.


aws iam create-instance-profile --instance-profile-name AviController-Refined-Role
aws iam add-role-to-instance-profile --instance-profile-name AviController-Refined-Role --role-name AviController-Refined-Role

Note:

  • Do not use the commands to create and attach the AviController-R53-Policy unless the AWS DNS service (R53) will be used.
  • The aws put-role-policy command creates an inline policy in the role (as opposed to an attached policy).
  • Make sure to replace “123456789012” with the applicable AWS account ID.

Using the Web Interface

  1. Log into the AWS console using your AWS customer account.
  2. Select Roles, then click Attach Policy. 1-vmimport-gui-step1
  3. Select the Custom Policy radio button, then click Select. 1-vmimport-gui-step2
  4. Enter the name "vmimport" and copy-and-paste the contents of the vmimport-role-policy.json file into the Policy Document field. Then select Review Policy. The policy name should be "vmimport" and the policy should be in the Policy Document field. If ok, click Apply Policy. 1-vmimport-gui-step3The new policy appears in the Inline Policies list. 1-vmimport-gui-step4
  5. Select Policies, and click Create Policy.
  6. Click Select next to Create Your Own Policy. 2-avi-controller-gui-step1
  7. Enter the name "AviController-EC2-Policy" and copy-and-paste the contents of the avicontroller-role-policy.json file into the Policy Document field. Click Create Policy. 2-avi-controller-gui-step2
  8. If Avi Vantage will use the AWS DNS service, create a policy named "AviController-R53-Policy" and copy-and-paste the contents of the avicontroller-role-53-policy.json file into the Policy Document field. Then click Create Policy. 2-avi-controller-gui-step3 The new policies appear in the list.
  9. Select Roles > Create New Role. 2-avi-controller-gui-step5
  10. Enter the role name for the Avi Controller role. Use "AviController-Refined-Role" to match the JSON file. 2-avi-controller-gui-step6
  11. Select the role type for the Avi Controller, Amazon EC2. Then click Next Step. 2-avi-controller-gui-step7
  12. Select the policies to attach to the role(s). Click Next Step. 2-avi-controller-gui-step8
  13. Review the role information, then click Create Role. 2-avi-controller-gui-step9 The new roles should be in the list. 2-avi-controller-gui-step10

After completing the IAM role setup steps above, go here to install the Avi Vantage EC2 instance.

Updated: 2018-01-18 08:34:05 +0000