Creating IAM Roles using CLI
The AWS CLI needs to be run from the same directory in which you save the files.
- Create the VM Import Service Role.Use the following commands to create a role namevmimportwith the required permission.aws iam create-role --role-name vmimport --assume-role-policy-document file://vmimport-role-trust.json aws iam put-role-policy --role-name vmimport --policy-name vmimport --policy-document file://vmimport-role-policy.json aws iam put-role-policy --role-name vmimport --policy-name AviController-vmimport-KMS-Policy --policy-document file://avicontroller-kms-vmimport.jsonTheAWS put-role-policycommand creates an inline policy in the role (as opposed to an attached policy).
- Create the required policies for theAvi Load Balancer Controllerrole.AviController-Refined-Roleis the role which will be attached to the Controller via the instance profile. Follow the below commands:aws iam create-role --role-name AviController-Refined-Role --assume-role-policy-document file://avicontroller-role-trust.json aws iam create-policy --policy-name AviController-EC2-Policy --policy-document file://avicontroller-ec2-policy.json aws iam create-policy --policy-name AviController-S3-Policy --policy-document file://avicontroller-s3-policy.json aws iam create-policy --policy-name AviController-IAM-Policy --policy-document file://avicontroller-iam-policy.json aws iam create-policy --policy-name AviController-R53-Policy --policy-document file://avicontroller-r53-policy.json aws iam create-policy --policy-name AviController-ASG-Policy --policy-document file://avicontroller-asg-policy.json aws iam create-policy --policy-name AviController-SQS-SNS-Policy --policy-document file://avicontroller-sqs-sns-policy.json aws iam create-policy --policy-name AviController-KMS-Policy --policy-document file://avicontroller-kms-policy.jsonAttach the following optional policies for AWS DNS service and the SNS-SQS feature as required:
- AviController-R53-Policy
- AviController-AutoScalingGroup-Policy
- AviController-SQS-SNS-Policy
- AviController-KMS-Policy
- Attach policies to theAvi Load Balancer Controllerrole.Once the policies (AviController-EC2-Policy,AviController-R53-Policy,AviController-IAM-Policy, and so on.) are created (in Step 2), attach them to theAviController-Refined-Role.aws iam attach-role-policy --role-name AviController-Refined-Role --policy-arn "arn:aws:iam::123456789012:policy/AviController-EC2-Policy" aws iam attach-role-policy --role-name AviController-Refined-Role --policy-arn "arn:aws:iam::123456789012:policy/AviController-R53-Policy" aws iam attach-role-policy --role-name AviController-Refined-Role --policy-arn "arn:aws:iam::123456789012:policy/AviController-ASG-Policy" aws iam attach-role-policy --role-name AviController-Refined-Role --policy-arn "arn:aws:iam::123456789012:policy/AviController-SQS-SNS-Policy" aws iam attach-role-policy --role-name AviController-Refined-Role --policy-arn "arn:aws:iam::123456789012:policy/AviController-ASG-Notification" aws iam attach-role-policy --role-name AviController-Refined-Role --policy-arn "arn:aws:iam::123456789012:policy/AviController-KMS-Policy"Make sure to replace123456789012with the applicable AWS account ID.
- Create an instance profile and apply this instance profile to the EC2 role.aws iam create-role --role-name AviController-Refined-Role --assume-role-policy-document file://avicontroller-role-trust.json aws iam create-instance-profile --instance-profile-name AviController-Refined-Role aws iam add-role-to-instance-profile --instance-profile-name AviController-Refined-Role --role-name AviController-Refined-Rol aws iam create-policy --policy-name AviController-EC2-Policy --policy-document file://avicontroller-ec2-policy.json aws iam create-policy --policy-name AviController-S3-Policy --policy-document file://avicontroller-s3-policy.json aws iam create-policy --policy-name AviController-IAM-Policy --policy-document file://avicontroller-iam-policy.json aws iam create-policy --policy-name AviController-R53-Policy --policy-document file://avicontroller-r53-policy.json aws iam create-policy --policy-name AviController-ASG-Policy --policy-document file://avicontroller-asg-policy.json aws iam create-policy --policy-name AviController-SQS-SNS-Policy --policy-document file://avicontroller-sqs-sns-policy.json aws iam create-policy --policy-name AviController-KMS-Policy --policy-document file://avicontroller-kms-policy.json