Skip to content

IAM Policy & Role Creation in AWS

AWS IAM Role

Step 1: Create IAM Policy

  • Sign into the AWS Console and navigate to the IAM service
  • Create a new Policy, provide it with a name such as "Demos-EKS-Provisioning"
  • Copy/Paste the JSON for the IAM Policy
  • Review and save the policy
  • Provide a name for the policy (e.g. rafay_eks_policy)

Step 2: Create IAM Role

  • In the AWS Console, navigate to the IAM service
  • Create a new Role, select another AWS Account as the Type
  • Copy/Paste the Account ID and External ID from the Controller Cloud Credential creation page
  • Enable "Require External ID" and copy/paste the External ID from the Cloud Credential

Create IAM Role

  • Click on "Next:Permissions"
  • Search for the Policy you created in Step 1 and select it

Select Policy

  • Click on the newly created Role to view it
  • Copy the Role ARN

View Role ARN

Use this Role ARN in the controller while creating Cloud Credential

AWS IAM User

We will be creating an "AWS IAM User" attached with a minimal IAM policy required for auto provisioning.

Step 1: Create IAM Policy

  • Sign into the AWS Console.
  • Select "IAM' from Services
  • Select "Policies"
  • Click on "Add Policy"
  • Click on "Create Policy"
  • Copy/Paste the JSON for the IAM Policy
  • Click on Review Policy
  • Provide a name for the policy

Step 2: Create IAM User

To ensure all actions performed by the Controller can be audited, we recommend that customers create a new "AWS IAM User".

  • Select "IAM' from Services
  • Select "Users"
  • Click on "Add User"

You will be presented with a "Guided Workflow"

  • Provide a username
  • Enable "Programmatic Access" for Access Type
  • Click "Next:Permissions"

Add IAM User

Step 3: Attach Permissions to User

Customers will want to limit the permissions they provide this IAM User. During auto-provisioning, the Controller automatically creates and configures required infrastructure.

  • Click on "Attach Existing Policies Directly"
  • Filter policies by the name of the policy you created in Step 1.
  • Click on "Next:Tags" (Optional)
  • Review the details and finalize
  • Download the "CSV" containing the "Access Key ID" and "Secret Access Key"

Important

For security reasons, this information is not accessible later in AWS. Ensure that you do not skip this step because we will require this information when we create a Cloud Credential in the Console.