Creating IAM Roles using CLI

The AWS CLI needs to be run from the same directory in which you save the files.
  1. Create the VM Import Service Role.
    Use the following commands to create a role name
    vmimport
    with the required permission.
    aws iam create-role --role-name vmimport --assume-role-policy-document file://vmimport-role-trust.json aws iam put-role-policy --role-name vmimport --policy-name vmimport --policy-document file://vmimport-role-policy.json aws iam put-role-policy --role-name vmimport --policy-name AviController-vmimport-KMS-Policy --policy-document file://avicontroller-kms-vmimport.json
    The
    AWS put-role-policy
    command creates an inline policy in the role (as opposed to an attached policy).
  2. Create the required policies for the
    Avi Load Balancer Controller
    role.
    AviController-Refined-Role
    is the role which will be attached to the Controller via the instance profile. Follow the below commands:
    aws iam create-role --role-name AviController-Refined-Role --assume-role-policy-document file://avicontroller-role-trust.json aws iam create-policy --policy-name AviController-EC2-Policy --policy-document file://avicontroller-ec2-policy.json aws iam create-policy --policy-name AviController-S3-Policy --policy-document file://avicontroller-s3-policy.json aws iam create-policy --policy-name AviController-IAM-Policy --policy-document file://avicontroller-iam-policy.json aws iam create-policy --policy-name AviController-R53-Policy --policy-document file://avicontroller-r53-policy.json aws iam create-policy --policy-name AviController-ASG-Policy --policy-document file://avicontroller-asg-policy.json aws iam create-policy --policy-name AviController-SQS-SNS-Policy --policy-document file://avicontroller-sqs-sns-policy.json aws iam create-policy --policy-name AviController-KMS-Policy --policy-document file://avicontroller-kms-policy.json
    Attach the following optional policies for AWS DNS service and the SNS-SQS feature as required:
    • AviController-R53-Policy
    • AviController-AutoScalingGroup-Policy
    • AviController-SQS-SNS-Policy
    • AviController-KMS-Policy
  3. Attach policies to the
    Avi Load Balancer Controller
    role.
    Once the policies (
    AviController-EC2-Policy
    ,
    AviController-R53-Policy
    ,
    AviController-IAM-Policy
    , and so on.) are created (in Step 2), attach them to the
    AviController-Refined-Role
    .
    aws iam attach-role-policy --role-name AviController-Refined-Role --policy-arn "arn:aws:iam::123456789012:policy/AviController-EC2-Policy" aws iam attach-role-policy --role-name AviController-Refined-Role --policy-arn "arn:aws:iam::123456789012:policy/AviController-R53-Policy" aws iam attach-role-policy --role-name AviController-Refined-Role --policy-arn "arn:aws:iam::123456789012:policy/AviController-ASG-Policy" aws iam attach-role-policy --role-name AviController-Refined-Role --policy-arn "arn:aws:iam::123456789012:policy/AviController-SQS-SNS-Policy" aws iam attach-role-policy --role-name AviController-Refined-Role --policy-arn "arn:aws:iam::123456789012:policy/AviController-ASG-Notification" aws iam attach-role-policy --role-name AviController-Refined-Role --policy-arn "arn:aws:iam::123456789012:policy/AviController-KMS-Policy"
    Make sure to replace
    123456789012
    with the applicable AWS account ID.
  4. Create an instance profile and apply this instance profile to the EC2 role.
    aws iam create-role --role-name AviController-Refined-Role --assume-role-policy-document file://avicontroller-role-trust.json aws iam create-instance-profile --instance-profile-name AviController-Refined-Role aws iam add-role-to-instance-profile --instance-profile-name AviController-Refined-Role --role-name AviController-Refined-Rol aws iam create-policy --policy-name AviController-EC2-Policy --policy-document file://avicontroller-ec2-policy.json aws iam create-policy --policy-name AviController-S3-Policy --policy-document file://avicontroller-s3-policy.json aws iam create-policy --policy-name AviController-IAM-Policy --policy-document file://avicontroller-iam-policy.json aws iam create-policy --policy-name AviController-R53-Policy --policy-document file://avicontroller-r53-policy.json aws iam create-policy --policy-name AviController-ASG-Policy --policy-document file://avicontroller-asg-policy.json aws iam create-policy --policy-name AviController-SQS-SNS-Policy --policy-document file://avicontroller-sqs-sns-policy.json aws iam create-policy --policy-name AviController-KMS-Policy --policy-document file://avicontroller-kms-policy.json