Creating IAM Roles using UI

The various roles and the associated policies mentioned in the previous section can be created using the AWS web interface (AWS management console) too.
This section discusses configuration steps for the following mandatory policies and the associated roles:
  • vmimport policy
  • vmimport role (associated with vmimport policy)
  • AviController-Refined-Role
  • AviController-EC2-Policy (associated with AviController-Refined-Role)
  • AviController-IAM-Policy (associated with AviController-Refined-Role)
Follow the same steps to create the optional policies as required.
  1. Creating vmimport policy.
    1. Log in to the AWS console using the AWS customer account where you plan to deploy Service Engines and select Policies.
    2. Select
      Create policy
      , select
      JSON tab
      , copy and paste the content from the JSON file (vmimport-role-policy.json), and click
      Review Policy
      .
    3. Provide the name for the policy (vmimport), the description (optional), click
      Create Policy
      . It is mandatory to use the name of the vmimport policy as vmimport
  2. Creating
    vmimport
    role and associating it with the
    vmimport
    policy.
    1. Select
      Roles
      , then click
      Create role
      .
    2. Select the type of trusted identity (
      AWS Service
      ), choose the service (
      EC2
      ) that will use this role, and click
      Next: Permissions
      .
    3. Select the policy created in the previous step (
      vmimport
      policy), and click
      Next: Review
      .
    4. Provide the
      Role name
      ,
      Role description
      , and click
      Create role
      .
    5. Once the role is created, the AWS web interface will exhibit the following message:
      The role vmimport has been created
      .
    6. For
      vmimport
      role,
      Trust relationships
      should be edited. Navigate to the
      Trust relationships
      tab, click
      Edit
      , and copy the content of
      vmimport-role-trust.json
      (from the table mentioned in the beginning) to the
      JSON
      tab, and click
      Update Trust Policy
      .
  3. Creating
    AviController-Refined-Role
    .
    1. To Create Policies, select the
      Policies
      option on the AWS web interface, and click
      Create Policy
      .
    2. Select the
      JSON
      tab, copy the content from the JSON file (avicontroller-role-policy.json), paste it into the JSON box, and click
      Review Policy
      .
    3. Provide the name for the policy (AviController-EC2-Policy) and the description (optional). Select the
      Create Policy
      option.
    4. Once the policy is successfully created, the AWS web interface will exhibit the message.
    5. Follow the steps mentioned above to create
      AviController-IAM-Policy
      . Choose the policy name and the JSON file as mentioned in the table provided at the beginning of the topic.
    6. Based on the requirement, create the other optional policies as well. For example, If
      Avi Load Balancer
      will use the AWS DNS service, create a policy named
      AviController-R53-Policy
      and copy-and-paste the contents of the
      avicontroller-role-53-policy.json
      file into the
      Policy Document
      field.
  4. Creating Role and associating it with the required policies.
    1. Select
      Roles
      and click
      Create Role
      .
    2. Select the type of trusted identity (
      AWS Service
      ), choose the service (
      EC2
      ) that will use this role, and click
      Next: Permissions
      .
    3. Select the policy created in the previous step (
      AviController-EC2-Policy
      ), and (
      AviController-IAM-Policy
      ), and select
      Next: Preview
      .
    4. Provide the role name (
      AviController-Refined-Role
      ) and the description (optional). Click
      Create role
      .
    5. Once the role is created, the AWS web interface will exhibit the following message:
      The role avi-controller-refined-role has been created
      .
The new roles should be on the list.
There are three ways an AWS cloud can be created in
Avi Load Balancer
, namely, using the Access/Secret key, the IAM roles of the Controller, and Cross-Account AssumeRole.
To use the Cross-Account AssumeRole method, the user must have either the Access/Secret key or the IAM roles of the Controller as prerequisites.
Both the Access/Secret key and IAM roles of the Controller methods mentioned above require a
vmimport
role to be present. However, while using the Access/Secret key method, the user whose keys are used must have all the necessary permissions for executing all the operations done in
Avi Load Balancer
similar to the IAM role.
AviController-Refined-Role
needs to be present if you choose to use the
IAM roles of the Controller
option. If the
AviController-Refined-Role
role is created using AWS CLI, then an instance profile is required as created in step-4. But, if the role is created using AWS GUI, then it is not required to create an instance profile separately, as it is automatically created along with the role.
Once all the required roles and policies are configured, see Installing
Avi Load Balancer
in Amazon Web Services
to install the
Avi Load Balancer
EC2 instance.
For more information, see Managing access keys for IAM users.