IAM Role Setup for Installation into AWS

If using the IAM role method to define access for an Avi Vantage installation in Amazon Web Services (AWS), use the steps in this article to set up the IAM roles before beginning deployment of the Avi Controller EC2 instance.

IAM Role Name Policy Name Description Required
vmimport
vmimport-role-trust.json
vmimport
vmimport-role-policy.json
Enables Avi SE VM to be imported into AWS. Without this IAM role, the Avi SE cannot be launched. This role is associated with the AWS account (not with the Avi Controller). When importing this role, name must be specified as "vmimport". Yes
AviController-Refined-Role
avicontroller-role-trust.json
AviController-EC2-Policy
avicontroller-role-policy.json
Enables Avi Controller instance to be installed. Yes
AviController-IAM-Policy
avicontroller-role-iam-policy.json
Enable access to retrieve IAM roles and policy information. Yes
AviController-R53-Policy
avicontroller-role-r53-policy.json
Enables access to the AWS cloud's DNS. No
AviController-AutoScalingGroup-Policy
avicontroller-role-auto-scaling-group-policy.json
Enables read access to the AWS cloud's Auto Scaling groups. No
AviController-SNS-Policy
avicontroller-sns-policy.json
Enables Avi Controller to use SNS feature for Auto Scaling groups. No
AviController-SQS-Policy
avicontroller-sqs-policy.json
Enables Avi Controller to use SQS feature for Auto Scaling groups. No
AviController-ASG-Notification
avicontroller-asg-notification-policy.json
Allows Avi Controller to receive ASG notifications when SNS and SQS features are enabled. No
AviController-KMS-Policy (added with 17.2.8)
avicontroller-kms-policy.json
Enables the Avi Controller to list the encryption keys in the Avi UI, and
decrypt encrypted messages (required, when using SQS encryption)
No

To begin, download the readme and the JSON files for the IAM role and policies onto a host that has the AWS CLI.

Then use one of the following workflows to set up the IAM roles:

Using the AWS CLI

The AWS CLI needs to be run from the same directory in which you save the files.

Step 1. Create the VM Import Service Role

Use the following commands to create a role name “vmimport” with the required permission.


aws iam create-role --role-name vmimport --assume-role-policy-document file://vmimport-role-trust.json
aws iam put-role-policy --role-name vmimport --policy-name vmimport --policy-document file://vmimport-role-policy.json

Step 2. Create the required policies for the Avi Controller role

AviController-Refined-Role is the role which will be attached to the Avi Controller via the instance profile. Follow the below commands.


aws iam create-role --role-name AviController-Refined-Role --assume-role-policy-document file://avicontroller-role-trust.json
aws iam create-policy --policy-name AviController-EC2-Policy --policy-document file://avicontroller-role-policy.json
aws iam create-policy --policy-name AviController-R53-Policy --policy-document file://avicontroller-role-r53-policy.json
aws iam create-policy --policy-name AviController-AutoScalingGroup-Policy --policy-document file:/avicontroller-role-auto-scaling-group-policy.json
aws iam create-policy --policy-name AviController-SNS-Policy --policy-document file:/avicontroller-sns-policy.json
aws iam create-policy --policy-name AviController-SQS-Policy --policy-document file:/avicontroller-sqs-policy.json
aws iam create-policy --policy-name AviController-ASG-Notification --policy-document file:/avicontroller-asg-notification-policy.json
aws iam create-policy --policy-name AviController-KMS-Policy --policy-document file:/avicontroller-kms-policy.json

Note: Following are the optional policies for AWS DNS service and the SNS-SQS feature. They are not needed for the basic setup.

  • AviController-R53-Policy
  • AviController-AutoScalingGroup-Policy
  • AviController-SNS-Policy
  • AviController-SQS-Policy
  • AviController-ASG-Notification
  • AviController-KMS-Policy (supported as of release 17.2.8)

Step 3. Attach policies to the Avi Controller role

Once the policies (AviController-EC2-Policy, AviController-R53-Policy, AviController-IAM-Policy, etc.) are created (in Step 2), attach them to the AviController-Refined-Role.


aws iam attach-role-policy --role-name AviController-Refined-Role --policy-arn "arn:aws:iam::123456789012:policy/AviController-EC2-Policy"
aws iam attach-role-policy --role-name AviController-Refined-Role --policy-arn "arn:aws:iam::123456789012:policy/AviController-R53-Policy"
aws iam attach-role-policy --role-name AviController-Refined-Role --policy-arn "arn:aws:iam::123456789012:policy/AviController-AutoScalingGroup-Policy"
aws iam attach-role-policy --role-name AviController-Refined-Role --policy-arn "arn:aws:iam::123456789012:policy/AviController-SNS-Policy"
aws iam attach-role-policy --role-name AviController-Refined-Role --policy-arn "arn:aws:iam::123456789012:policy/AviController-SQS-Policy"
aws iam attach-role-policy --role-name AviController-Refined-Role --policy-arn "arn:aws:iam::123456789012:policy/AviController-ASG-Notification"
aws iam attach-role-policy --role-name AviController-Refined-Role --policy-arn "arn:aws:iam::123456789012:policy/AviController-KMS-Policy"

Note: Following are the optional policies for AWS DNS service and SNS-SQS feature. It is not necessary to attach these to the Avi Controller role for the basic setup.

  • AviController-R53-Policy
  • AviController-AutoScalingGroup-Policy
  • AviController-SNS-Policy
  • AviController-SQS-Policy
  • AviController-ASG-Notification
  • AviController-KMS-Policy (supported as of release 17.2.8)

Step 4. Create instance profile and apply this instance profile to EC2 role.


aws iam create-instance-profile --instance-profile-name AviController-Refined-Role
aws iam add-role-to-instance-profile --instance-profile-name AviController-Refined-Role --role-name AviController-Refined-Role

Note:

  • The aws put-role-policy command creates an inline policy in the role (as opposed to an attached policy).
  • Make sure to replace “123456789012” with the applicable AWS account ID.

Using AWS Web Interface

The various roles and the associated policies mentioned in the previous section can be created using AWS web interface (AWS management console) too. This section discusses configuration steps for the following mandatory policies and the associated roles.

  • vmimport (associated with vmimport role)
  • AviController-EC2-Policy (associated with AviController-Refined-Role)
  • AviController-IAM-Role (associated with AviController-Refined-Role)

Follow the same steps to create the optional policies as required.

Creating vmimport Role

  • Log into the AWS console using your AWS customer account. Select Roles, then click on Create role.

    create-role

  • Select type of trusted identity (AWS Service), choose the service (EC2) that will use this role, and click on Next:Permissions.

    role-entity

  • Select Create policy, select JSON tab, copy and paste the content from the JSON file (vmimport-role-policy.json), and click on Review Policy.

    create-policy

    json

    policy

    copy-policy

  • Provide the name for the policy (vmimport), the description (optional), click on Create Policy.

    review-policy

  • Navigate to Policies, and select the policy created in previous step (vmimport policy).

    select-policy

  • Provide Role name, Role description, and click on Create role.

    create-role

  • Once the role is created, AWS web interface will exhibit the following message as shown in the below screenshot.

    final-role

Note: For vmimport role, Trust relationships should be edited. Navigate to the Trust relationships tab, click on edit, and copy the content of vmimport-role-trust.json (from the table mentioned in the beginning) to the JSON tab, and click on Update Trust Policy.

vm-import

edit-trust-vmimport

Creating AviController-Refined-Role

Creating Policies

  • Select the Policies option on AWS web interface, and click on Create Policy.

    create-policy-controller

  • Select JSON tab, copy the content from the JSON file (avicontroller-role-policy.json), paste in the JSON box, and click on Review Policy.

    controller-policy

  • Provide the name for the policy (AviController-EC2-Policy), the description (optional), and click on Create Policy.

    review-controller-policy

  • Once the policy is successfully created, AWS web interface will exhibit the following message.

    final-policy-controller

Notes:

  • Follow the steps mentioned above to create AviController-IAM-Policy. Choose the policy name and the JSON file as mentioned in the table provided at the beginning of the article.
  • Based on the requirement, create the other optional policies as well. For example, If Avi Vantage will use the AWS DNS service, create a policy named “AviController-R53-Policy” and copy-and-paste the contents of the avicontroller-role-53-policy.json file into the Policy Document field.

Creating Role and Associating with the Required Policies

  • Select Roles, and click on Create Role.

    create-role

  • Select type of trusted identity (AWS Service), choose the service (EC2) that will use this role, and click on Next:Permissions.

    role-entity

  • select the policy created in previous step (AviController-EC2-Policy), and (AviController-IAM-Policy), and select Next: Preview.

    review-ec2

    select-iam

  • Provide the role name (AviController-Refined-Role), the description (optional), and click on Create role.

    create-role-ec2

  • Once the role is created, AWS web interface will exhibit the following message as shown in the below screenshot.

    ec2-role-created

The new roles should be in the list.

2-avi-controller-gui-step10

After completing the IAM role setup steps above, refer to Installing Avi Vantage in Amazon Web Services to install the Avi Vantage EC2 instance.