page 1 of 16 · aws iam create-policy --policy-name avicontroller-kms-policy --policy-document...
TRANSCRIPT
Page 1 of 16
Avi Networks — Technical Reference (17.1)IAM Role Setup for Installation into AWS
Copyright © 2019 Avi Networks, Inc. Page 2 of 16
view onlineIAM Role Setup for Installation into AWS
If using the IAM role method to define access for an Avi Vantage installation in Amazon Web Services (AWS), use the steps in this article to set up the IAM roles before beginning deployment of the Avi Controller EC2 instance.
Avi Networks — Technical Reference (17.1)IAM Role Setup for Installation into AWS
Copyright © 2019 Avi Networks, Inc. Page 3 of 16
IAM Role Name
Policy Name Description Required
vmimportvmimport-role-trust.json
vmimportvmimport-role-policy.json
Enables the Avi SE VM to be imported into AWS. Without this IAM role, the Avi SE cannot be launched. This role is associated with the AWS account ( with notthe Avi Controller). As per , the IAM role name MUST this Amazon documentbe "vmimport."
AviController-Refined-Roleavicontroller-role-trust.json
AviController-EC2-Policyavicontroller-role-policy.json
Enables Avi Controller instance to be installed. Yes
AviController-IAM-Policyavicontroller-role-iam-policy.json
Enable access to retrieve IAM roles and policy information. Yes
AviController-R53-Policyavicontroller-role-r53-policy.json
Enables access to the AWS cloud's DNS. No
AviController-AutoScalingGroup-Policyavicontroller-role-auto-scaling-group-policy.json
Enables read access to the AWS cloud's Auto Scaling groups. No
AviController-SNS-Policyavicontroller-sns-policy.json
Enables Avi Controller to use SNS feature for Auto Scaling groups. No
AviController-SQS-Policyavicontroller-sqs-policy.json
Enables Avi Controller to use SQS feature for Auto Scaling groups. No
AviController-ASG-Notificationavicontroller-asg-notification-policy.json
Allows Avi Controller to receive ASG notifications when SNS and SQS features are enabled.
No
AviController-KMS-Policy (added with 17.2.8)avicontroller-kms-policy.json
Enables the Avi Controller to list the encryption keys in the Avi UI, anddecrypt encrypted messages (required, when using SQS encryption)
No
To begin, download the JSON files for the IAM role and policies onto a host that has the AWS CLI.
Then use one of the following workflows to set up the IAM roles:
Avi Networks — Technical Reference (17.1)IAM Role Setup for Installation into AWS
Copyright © 2019 Avi Networks, Inc. Page 4 of 16
Using the AWS CLI
The AWS CLI needs to be run from the same directory in which you save the files.
Step 1. Create the VM Import Service Role
Use the following commands to create a role name ? ? with the required permission.vmimport
aws iam create-role --role-name vmimport --assume-role-policy-document file://vmimport-role-trust.json
aws iam put-role-policy --role-name vmimport --policy-name vmimport --policy-document file://vmimport-role-policy.json
Step 2. Create the required policies for the Avi Controller role
is the role which will be attached to the Avi Controller via the instance profile. Follow the below AviController-Refined-Rolecommands.
aws iam create-role --role-name AviController-Refined-Role --assume-role-policy-document file://avicontroller-role-trust.json
aws iam create-policy --policy-name AviController-EC2-Policy --policy-document file://avicontroller-role-policy.json
aws iam create-policy --policy-name AviController-R53-Policy --policy-document file://avicontroller-role-r53-policy.json
aws iam create-policy --policy-name AviController-AutoScalingGroup-Policy --policy-document file://avicontroller-role-auto-scaling-group-policy.json
aws iam create-policy --policy-name AviController-SNS-Policy --policy-document file://avicontroller-sns-policy.json
aws iam create-policy --policy-name AviController-SQS-Policy --policy-document file://avicontroller-sqs-policy.json
aws iam create-policy --policy-name AviController-ASG-Notification --policy-document file://avicontroller-asg-notification-policy.json
aws iam create-policy --policy-name AviController-KMS-Policy --policy-document file://avicontroller-kms-policy.json
Note: Following are the optional policies for AWS DNS service and the SNS-SQS feature. They are not needed for the basic setup. * AviController-R53-Policy * AviController-AutoScalingGroup-Policy * AviController-SNS-Policy * AviController-SQS-Policy * AviController-ASG-Notification * AviController-KMS-Policy ( )supported as of release 17.2.8
Step 3. Attach policies to the Avi Controller role
Once the policies ( , , , etc.) are created (in Step AviController-EC2-Policy AviController-R53-Policy AviController-IAM-Policy2), attach them to the .AviController-Refined-Role
aws iam attach-role-policy --role-name AviController-Refined-Role --policy-arn "arn:aws:iam::123456789012:policy/AviController-EC2-Policy"
aws iam attach-role-policy --role-name AviController-Refined-Role --policy-arn "arn:aws:iam::123456789012:policy/AviController-R53-Policy"
aws iam attach-role-policy --role-name AviController-Refined-Role --policy-arn "arn:aws:iam::123456789012:policy/AviController-AutoScalingGroup-Policy"
aws iam attach-role-policy --role-name AviController-Refined-Role --policy-arn "arn:aws:iam::123456789012:policy/AviController-SNS-Policy"
aws iam attach-role-policy --role-name AviController-Refined-Role --policy-arn "arn:aws:iam::123456789012:policy/AviController-SQS-Policy"
aws iam attach-role-policy --role-name AviController-Refined-Role --policy-arn "arn:aws:iam::123456789012:policy/AviController-ASG-Notification"
aws iam attach-role-policy --role-name AviController-Refined-Role --policy-arn "arn:aws:iam::123456789012:policy/AviController-KMS-Policy"
Note: Following are the optional policies for AWS DNS service and SNS-SQS feature. It is not necessary to attach these to the Avi Controller role for the basic setup.
AviController-R53-PolicyAviController-AutoScalingGroup-Policy
Avi Networks — Technical Reference (17.1)IAM Role Setup for Installation into AWS
Copyright © 2019 Avi Networks, Inc. Page 5 of 16
AviController-SNS-PolicyAviController-SQS-PolicyAviController-ASG-NotificationAviController-KMS-Policy ( )supported as of release 17.2.8
. Create and apply this instance profile to role.Step 4 instance profile EC2
aws iam create-instance-profile --instance-profile-name AviController-Refined-Role
aws iam add-role-to-instance-profile --instance-profile-name AviController-Refined-Role --role-name AviController-Refined-Role
Note: * The command creates an inline policy in the role (as opposed to an attached policy). * Make sure aws put-role-policyto replace "123456789012" with the applicable AWS account ID.
Using AWS Web InterfaceThe various roles and the associated policies mentioned in the previous section can be created using AWS web interface (AWS management console) too. This section discusses configuration steps for the following mandatory policies and the associated roles. * vmimport policy * vmimport role (associated with vmimport policy) * AviController-Refined-Role * AviController-EC2-Policy (associated with AviController-Refined-Role) * AviController-IAM-Policy (associated with AviController-Refined-Role)
Follow the same steps to create the optional policies as required.
Creating vmimport policy
Log into the AWS console using your AWS customer account, select .Policies
Select , select tab, copy and paste the content from the JSON file ( ), Create policy JSON vmimport-role-policy.jsonand click on .Review Policy
Avi Networks — Technical Reference (17.1)IAM Role Setup for Installation into AWS
Copyright © 2019 Avi Networks, Inc. Page 6 of 16
Avi Networks — Technical Reference (17.1)IAM Role Setup for Installation into AWS
Copyright © 2019 Avi Networks, Inc. Page 7 of 16
Provide the name for the policy ( ), the description (optional), click on .vmimport Create Policy
Creating vmimport role and associating it with the vmimport policy
Select , then click on .Roles Create role
Select type of trusted identity (AWS Service), choose the service (EC2) that will use this role, and click on Next:.Permissions
Avi Networks — Technical Reference (17.1)IAM Role Setup for Installation into AWS
Copyright © 2019 Avi Networks, Inc. Page 8 of 16
Select the policy created in previous step ( policy), and click on .vmimport Next:Review
Provide , , and click on .Role name Role description Create role
Avi Networks — Technical Reference (17.1)IAM Role Setup for Installation into AWS
Copyright © 2019 Avi Networks, Inc. Page 9 of 16
Once the role is created, AWS web interface will exhibit the following message as shown in the below screenshot.
Note: For role, should be edited. Navigate to the tab, click on edit, and copy vmimport Trust relationships Trust relationshipsthe content of (from the table mentioned in the beginning) to the tab, and click on vmimport-role-trust.json JSON Update
.Trust Policy
Avi Networks — Technical Reference (17.1)IAM Role Setup for Installation into AWS
Copyright © 2019 Avi Networks, Inc. Page 10 of 16
Creating AviController-Refined-Role
Creating Policies * Select the option on AWS web interface, and click on .Policies Create Policy
Avi Networks — Technical Reference (17.1)IAM Role Setup for Installation into AWS
Copyright © 2019 Avi Networks, Inc. Page 11 of 16
Select tab, copy the content from the JSON file ( ), paste in the JSON box, and JSON avicontroller-role-policy.jsonclick on .Review Policy
Provide the name for the policy ( ), the description (optional), and click on .AviController-EC2-Policy Create Policy
Avi Networks — Technical Reference (17.1)IAM Role Setup for Installation into AWS
Copyright © 2019 Avi Networks, Inc. Page 12 of 16
Once the policy is successfully created, AWS web interface will exhibit the following message.
Notes: * Follow the steps mentioned above to create . Choose the policy name and the JSON file as AviController-IAM-Policymentioned in the table provided at the beginning of the article. * Based on the requirement, create the other optional policies as well. For example, If Avi Vantage will use the AWS DNS service, create a policy named ?AviController-R53-Policy? and copy-and-paste the contents of the file into the Policy Document field.avicontroller-role-53-policy.json
Creating Role and Associating with the Required Policies
Avi Networks — Technical Reference (17.1)IAM Role Setup for Installation into AWS
Copyright © 2019 Avi Networks, Inc. Page 13 of 16
Select , and click on .Roles Create Role
Select type of trusted identity (AWS Service), choose the service (EC2) that will use this role, and click on Next:.Permissions
select the policy created in previous step ( ), and ( ), and select AviController-EC2-Policy AviController-IAM-Policy.Next: Preview
Avi Networks — Technical Reference (17.1)IAM Role Setup for Installation into AWS
Copyright © 2019 Avi Networks, Inc. Page 14 of 16
Provide the role name (AviController-Refined-Role), the description (optional), and click on .Create role
Avi Networks — Technical Reference (17.1)IAM Role Setup for Installation into AWS
Copyright © 2019 Avi Networks, Inc. Page 15 of 16
Once the role is created, AWS web interface will exhibit the following message as shown in the below screenshot.
The new roles should be in the list.
Avi Networks — Technical Reference (17.1)IAM Role Setup for Installation into AWS
Copyright © 2019 Avi Networks, Inc. Page 16 of 16
Note There are 2 ways, an AWS cloud can be created in Avi Vantage. 1) Using Access/Secret key. 2) Using IAM roles of the Avi Controller.
Both of the methods mentioned above, require a role to be present. However, while using the Access/Secret key vmimport
method, the user whose keys are used must have all the necessary permissions for carrying out all the operations done in Avi Vantage. needs to be present, if we choose AviController-Refined-Role using IAM roles of the Avi
option. If the role is created using AWS CLI, then, an Controller AviController-Refined-Role instance-profile
is required as created in step-4. But, if the role is created using AWS GUI, then it is not required to create instance-profile separately, as it is automatically created along with the role.
Once all the required roles and policies are configured, refer to to install the Installing Avi Vantage in Amazon Web ServicesAvi Vantage EC2 instance.