Creating Role Using AWS User Interface
This section explains the steps to setup a Prod-Xacc-Access in the Prod AWS account.
AWS accounts require access to AWS resources or APIs. In this example, the
Avi Load Balancer Controller
is hosted in the IT account (AWS account id – 123456789012) and the Avi Load Balancer
Service Engine cloud provides data path services in the Prod account (AWS account id – 112233445566). Use the account IDs and resource ARNs that are applicable to your environment, while following this guide. Cross-account setup is explained in Delegate Access Across AWS Accounts Using IAM Role.- In Prod account, set up the Prod-Xacc-Access role which will be a cross-account role. Navigate to and clickCreate New Role.

- Select Another AWS account, and provideAccount ID, and clickNext:Permissions. Enter theAWS account IDof the AWS account which can assume this role. In this example, it is the IT account (AWS account ID – 123456789012). You can chooseRequire MFAbased on your requirement.
- Select the policies required by theProd-Xacc-Accessrole to create theAvi Load BalancerSE for providingAvi Load Balancerfunctionality, and clickReview. The following are the policies attached to this role in this reference section:
- AviController-EC2-Policy
- AviController-IAM-XAccess-Policy
- AviController-R53-Policy
- AviController-S3-Policy
- vmimport-role-policy
- Provide theRole name(Prod-Xacc-Access),Role description(optional), and clickCreate Role.
To summarize, forProd-Xacc-Accessrole, the role ARN will be displayed asarn:aws:iam::112233445566:role/Prod-Xacc-Access. Ensure that the format is:arn:aws:iam::account-id:role/role-name.