IAM Role Manual Setup

To set up an Identity and Access Management (IAM) role, consider using the CloudFormation Template that greatly simplifies creation of the role. However, if you prefer to create the role manually, you can do so.

About This Task

To set up an AWS integration in Virtana Platform using the IAM Role, you must complete tasks in both the AWS Console and in Virtana Platform.

After creating your IAM role, wait 2-5 minutes for AWS to finalize its creation before proceeding to the next steps. This ensures the new role has the correct S3 access permissions when added to Virtana Platform.

You can view a list of permissions granted by the IAM role.

Prerequisites

Tip

If you already have an existing IAM role for Virtana Platform but it does not include in-line policies for Cost Explorer or Cost and Usage Reports, you only need to add the policies to the IAM role.

Perform the following three tasks.

Inline policies provide a one-to-one relationship between a specific policy and a specific user, role, or group. In this case, the inline policy will be embedded in the IAM Role, when that role is created.

  1. In your AWS Console, search for IAM, and select the IAM service.

    select-IAM.png
  2. In the navigation pane, select Access Management > Policies and click Create Policy.

  3. Select the JSON tab and replace the default content with the following code:

    {
       "Version": "2012-10-17",
       "Statement": [
        {
          "Action": "ce:Get*",
          "Resource": "*",
          "Effect": "Allow"
        }
      ]
    }
    
  4. Click Next: Tags and add any needed tags.

    Adding tags is optional.

  5. Click Next: Review and provide a descriptive Name for the policy.

    Example: CostExplorerAPIReadOnly

  6. Make a note of the policy name, review the permissions summary, and click Create Policy.

    You will need the policy name to attach this customer managed policy to your IAM role.

Inline policies provide a one-to-one relationship between a specific policy and a specific user, role, or group. In this case, the inline policy will be embedded in the IAM Role, when that role is created.

  1. In your AWS Console, search for IAM, and select the IAM service.

    select-IAM.png

    The Identity and Access Management (IAM) dashboard displays.

  2. In the navigation pane, select Access Management > Policies and click Create Policy.

  3. Select the JSON tab and replace the default content with the following code:

    {   
      "Version": "2012-10-17",
      "Statement": [
        {
           "Effect": "Allow",
           "Action": "cur:DescribeReportDefinitions",
           "Resource": "*"
        }
      ] 
    }
    
  4. Click Next: Tags and add any needed tags.

    Adding tags is optional.

  5. Click Next: Review and provide a descriptive Name for the policy.

    Example: ReadCostAndUsageReportDefinitions

  6. Make a note of the policy name, review the permissions summary, and click Create Policy.

    You will need the policy name to attach this customer managed policy to your IAM role.

AWS Identity and Access Management (IAM) roles provide the ability to grant permissions to trusted entities. IAM roles issue temporary security credentials that are only valid for a role session, providing greater security. The IAM read-only role will be used to allow Virtana Platform modules to access AWS APIs.

About This Task

To create an IAM role, you need to perform the following in AWS:

  • Create the IAM role.

  • Select and configure one of the following options:

    • Standard permissions

      The simplest setup. Provides read-only access to everything.

    • Minimal cost permissions

      The most secure setup. Provides Virtana Platform access only to services for which Virtana Platform is collecting data. This would include cost reports and performance metrics for the Optimize module.

      Must be created before being assigned to an IAM Role.

    • Management account permissions

      Provides read-only access only for Cost and Usage Reports for a single S3 bucket for a particular customer.

Prerequisites

  • You need the Account ID and External ID values for the AWS Integration, located on the integration setup form in Virtana Platform (Settings > Integrations > Cloud Providers > Add Integration).

  • You need the name of the S3 bucket associated with the integration you are creating.

    This is found under AWS Services in the Cost & Usage Reports section.

Steps

  1. In your AWS Console, search for IAM, and select the IAM service.

    select-IAM.png

    The Identity and Access Management (IAM) dashboard displays.

  2. In the navigation pane, select Access Management > Roles and click Create Role.

  3. For "type of trusted entity", select AWS Account and then select Another AWS Account.

    Select trusted entity page in AWS with required settings selected
  4. Provide the Account ID from your Virtana Platform AWS Integration.

    This identifies the Virtana Platform account as the user of this role.

  5. Check Require external ID and provide the External ID from your Virtana Platform AWS Integration.

    Leave Require MFA unchecked.

  6. Click Next: Permissions.

  7. Define and assign to the read-only role ONE of the following three role permissions available in AWS.