IAM Role Manual Setup

To set up an IAM role, consider using the CloudFormation Template that greatly simplifies creation of the role. However, if you prefer to create the role manually, you can do so.

About This Task

To set up an AWS integration in Virtana Platform using the IAM Role, you must complete tasks in both the AWS Console and in Virtana Platform.

After creating your IAM role, wait 2-5 minutes for AWS to finalize its creation before proceeding to the next steps. This ensures the new role has the correct S3 access permissions when added to Virtana Platform.CloudFormation

You can view a list of permissions granted by the IAM role.

Prerequisites

Tip

If you already have an existing IAM role for Virtana Platform but it does not include in-line policies for Cost Explorer or Cost and Usage Reports, you only need to add the policies to the IAM role.

Perform the following three tasks.

  1. In your AWS Console, search for IAM, and select the IAM service.

    select-IAM.png
  2. In the navigation pane, select Access Management > Policies and click Create Policy.

  3. Switch to the JSON tab.

  4. Switch to the JSON tab and then copy and paste the following code into the Policy Document section:

    {
       "Version": "2012-10-17",
       "Statement": [
        {
          "Action": "ce:Get*",
          "Resource": "*",
          "Effect": "Allow"
        }
      ]
    }
  5. Click Next: Tags and add any needed tags.

    Tip

    Adding tags is optional.

  6. Click Next: Review and provide a Name for the policy.

    It is helpful if the name is descriptive, such as CostExplorerAPIReadOnly.

  7. Make a note of the policy name.

    You will need the name to attach this customer managed policy to your IAM role.

  8. Review the permissions summary and click Create Policy.

  1. In your AWS Console, search for IAM, and select the IAM service.

    select-IAM.png

    The Identity and Access Management (IAM) dashboard displays.

  2. In the navigation pane, select Access Management > Policies and click Create Policy.

  3. Switch to the JSON tab.

  4. Switch to the JSON tab and then copy and paste the following code into the Policy Document section:

    {   
      "Version": "2012-10-17",
      "Statement": [
        {
           "Effect": "Allow",
           "Action": "cur:DescribeReportDefinitions",
           "Resource": "*"
        }
      ] 
    }
    
  5. Click Next: Tags and add any needed tags.

    Tip

    Adding tags is optional.

  6. Click Next: Review and provide a Name for the policy.

    It is helpful if the name is descriptive, such as ReadCostAndUsageReportDefinitions.

  7. Make a note of the policy name.

    You will need the name to attach this customer managed policy to your IAM role.

  8. Review the permissions summary and click Create Policy.

AWS Identity and Access Management (IAM) roles provide the ability to grant permissions to trusted entities. IAM roles issue temporary security credentials that are only valid for a role session, providing greater security. The IAM read-only role will be used to allow Virtana Platform modules to access AWS APIs.

About This Task

To create an IAM role, you need to perform the following in AWS:

  • Create the IAM role.

  • Select and configure one of the following options:

    • Standard permissions

      The simplest setup. Provides read-only access to everything.

    • Minimal cost permissions

      The most secure setup. Provides Virtana Platform access only to services for which Virtana Platform is collecting data. This would include cost reports and performance metrics for the Optimize module.

      Must be created before being assigned to an IAM Role.

    • Management account permissions

      Provides read-only access only for Cost and Usage Reports for a single S3 bucket for a particular customer.

Prerequisites

  • You need the Account ID and External ID values for the AWS Integration, located on the integration setup form in Virtana Platform.

  • You need the name of the S3 bucket associated with the integration you are creating.

    This is found under AWS Services in the Cost & Usage Reports section.

Steps

  1. In your AWS Console, search for IAM, and select the IAM service.

    select-IAM.png

    The Identity and Access Management (IAM) dashboard displays.

  2. In the navigation pane, select Access Management > Roles and click Create Role.

  3. For "type of trusted entity", select Another AWS Account.

    another-aws-accnt.png
  4. Provide the Account ID from your Optimize AWS Integration.

    This identifies the Optimize account as the user of this role.

  5. Check Require external ID and provide the External ID from your Optimize AWS Integration.

    Leave Require MFA unchecked.

  6. Click Next: Permissions.

  7. Define and assign to the read-only role ONE of the following three role permissions available in AWS.