IAM Role Setup for Installation into AWS

If using the IAM role method to define access for an Avi Vantage installation in Amazon Web Services (AWS), use the steps in this article to set up the IAM roles before beginning deployment of the Avi Controller EC2 instance.

IAM Role Name Policy Name Description Required
vmimport
vmimport-role-trust.json
vmimport
vmimport-role-policy.json
Enables Avi SE VM to be imported into AWS. Without this IAM role, the Avi SE cannot be launched. This role is associated with the AWS account (not with the Avi Controller). Yes
AviController-Refined-Role
avicontroller-role-trust.json
AviController-EC2-Policy
avicontroller-role-policy.json
Enables Avi Controller instance to be installed. Yes
AviController-R53-Policy
avicontroller-role-r53-policy.json
Enables access to the AWS cloud's DNS. No
AviController-AutoScalingGroup-Policy
avicontroller-role-auto-scaling-group-policy.json
Enables read access to the AWS cloud's Auto Scaling groups. No
AviController-SNS-Policy
avicontroller-sns-policy.json
Enables Avi Controller to use SNS feature for Auto Scaling groups. No
AviController-SQS-Policy
avicontroller-sqs-policy.json
Enables Avi Controller to use SQS feature for Auto Scaling groups. No
AviController-ASG-Notification
avicontroller-asg-notification-policy.json
Allows Avi Controller to receive ASG notifications when SNS and SQS features are enabled. No

To begin, download the readme and the JSON files for the IAM role and policies onto a host that has the AWS CLI.

Then use one of the following workflows to set up the IAM roles:

Using the AWS CLI

The AWS CLI needs to be run from the same directory in which you save the files.

Step 1. Create the VM Import Service Role

Use the following commands to create a role name “vmimport” with the required permission.


aws iam create-role --role-name vmimport --assume-role-policy-document file://vmimport-role-trust.json
aws iam put-role-policy --role-name vmimport --policy-name vmimport --policy-document file://vmimport-role-policy.json

Step 2. Create the required policies for the Avi Controller role

AviController-Refined-Role is the role which will be attached to the Avi Controller via the instance profile. Follow the below commands.


aws iam create-role --role-name AviController-Refined-Role --assume-role-policy-document file://avicontroller-role-trust.json
aws iam create-policy --policy-name AviController-EC2-Policy --policy-document file://avicontroller-role-policy.json
aws iam create-policy --policy-name AviController-R53-Policy --policy-document file://avicontroller-role-r53-policy.json
aws iam create-policy --policy-name AviController-AutoScalingGroup-Policy --policy-document file:/avicontroller-role-auto-scaling-group-policy.json
aws iam create-policy --policy-name AviController-SNS-Policy --policy-document file:/avicontroller-sns-policy.json
aws iam create-policy --policy-name AviController-SQS-Policy --policy-document file:/avicontroller-sqs-policy.json
aws iam create-policy --policy-name AviController-ASG-Notification --policy-document file:/avicontroller-asg-notification-policy.json

Note: Following are the optional policies for AWS DNS service and the SNS-SQS feature. They are not needed for the basic setup.

  • AviController-R53-Policy
  • AviController-AutoScalingGroup-Policy
  • AviController-SNS-Policy
  • AviController-SQS-Policy
  • AviController-ASG-Notification

Step 3. Attach policies to the Avi Controller role

Once the policies (AviController-EC2-Policy, AviController-R53-Policy, AviController-IAM-Policy, etc.) are created (in Step 2), attach them to the AviController-Refined-Role.


aws iam attach-role-policy --role-name AviController-Refined-Role --policy-arn "arn:aws:iam::123456789012:policy/AviController-EC2-Policy"
aws iam attach-role-policy --role-name AviController-Refined-Role --policy-arn "arn:aws:iam::123456789012:policy/AviController-R53-Policy"
aws iam attach-role-policy --role-name AviController-Refined-Role --policy-arn "arn:aws:iam::123456789012:policy/AviController-AutoScalingGroup-Policy"
aws iam attach-role-policy --role-name AviController-Refined-Role --policy-arn "arn:aws:iam::123456789012:policy/AviController-SNS-Policy"
aws iam attach-role-policy --role-name AviController-Refined-Role --policy-arn "arn:aws:iam::123456789012:policy/AviController-SQS-Policy"
aws iam attach-role-policy --role-name AviController-Refined-Role --policy-arn "arn:aws:iam::123456789012:policy/AviController-ASG-Notification"

Note: Following are the optional policies for AWS DNS service and SNS-SQS feature. It is not necessary to attach these to the Avi Controller role for the basic setup.

  • AviController-R53-Policy
  • AviController-AutoScalingGroup-Policy
  • AviController-SNS-Policy
  • AviController-SQS-Policy
  • AviController-ASG-Notification

Step 4. Create instance profile and apply this instance profile to EC2 role.


aws iam create-instance-profile --instance-profile-name AviController-Refined-Role
aws iam add-role-to-instance-profile --instance-profile-name AviController-Refined-Role --role-name AviController-Refined-Role

Note:

  • The aws put-role-policy command creates an inline policy in the role (as opposed to an attached policy).
  • Make sure to replace “123456789012” with the applicable AWS account ID.

Using the Web Interface

1. Log into the AWS console using your AWS customer account. Select Roles, then click Attach Policy. 1-vmimport-gui-step1

2. Select the Custom Policy option, then click Select. 1-vmimport-gui-step2

3. Enter the name “vmimport” and copy-and-paste the contents of the avicontroller-role-policy.json file into the Policy Document field. Then select Review Policy. The policy name should be “vmimport” and the policy should be in the Policy Document field. If OK, click Apply Policy. 1-vmimport-gui-step3 The new policy appears in the Inline Policies list. 1-vmimport-gui-step4

4. Select Policies, and click Create Policy. Click Select in the Create Your Own Policy box. 2-avi-controller-gui-step1

5. Enter the name “AviController-EC2-Policy” and copy-and-paste the contents of the avicontroller-role-policy.json file into the Policy Document field. Click Create Policy. 2-avi-controller-gui-step2

6. If Avi Vantage will use the AWS DNS service, create a policy named “AviController-R53-Policy” and copy-and-paste the contents of the avicontroller-role-53-policy.json file into the Policy Document field. Then click Create Policy. 2-avi-controller-gui-step3 The new policies appear in the list. Similarly, create policies for AWS Auto Scaling groups and SNS-SQS (refer to the table, provided at the starting of the article).

Note: Policies for DNS, Auto Scaling groups and SNS-SQS are optional.

7. Select Roles and choose Create New Role. 2-avi-controller-gui-step5

8. Enter the role name for the Avi Controller role. Use “AviController-Refined-Role” to match the JSON file. 2-avi-controller-gui-step6

9. Select the role type for the Avi Controller, “Amazon EC2”. Then click Next Step. 2-avi-controller-gui-step7

10. Select the policies to attach to the role(s). Click Next Step.
2-avi-controller-gui-step8

11. If using AWS Auto Scaling groups or the SNS-SQS feature, select the following policies as well. AutoScaling-SNS-SQS

12. Review the role information, and then click Create Role.

2-avi-controller-gui-step9 The new roles should be in the list.

2-avi-controller-gui-step10

After completing the IAM role setup steps above, refer to Installing Avi Vantage in Amazon Web Services to install the Avi Vantage EC2 instance.

Updated: 2018-01-23 19:26:26 +0000