AWS credentials for Cloud Management

The credentials required for the instance to access AWS accounts are the AWS account number, the access key ID, and the secret access key.

Provide these credentials so that the instance can discover AWS accounts. If you are using Identity Access Management (IAM) to manage users in AWS, create a user profile in IAM. The instance must be able to access the profile.

Create AWS credentials

Create the credentials necessary to access your AWS accounts.

Before you begin

  • Role required: sn_cmp.cloud_admin
  • AWS account number, access key ID, secret access key

Procedure

  1. Navigate to Discovery > Credentials, and then select AWS Credentials.
  2. Use the following information to fill out the AWS Credentials form:
    Figure 1. AWS credentials
    AWS creds
    Table 1. AWS credentials form fields
    Field Input value
    Name Enter a unique and descriptive name for this credential. For example, you might call it AWS Main Account.
    Active Enable or disable these credentials for use.
    Access Key ID Enter the access key ID generated from the AWS Management Console, for example, APIAIOSFODNN7EXAMPLE.
    Secret Access Key Enter the secret access key ID generated from the AWS Management Console for example, wPalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY.
  3. Click Submit..

What to do next

Create a Service Account

Set up AWS Identity Access Management (IAM) users

If you are using IAM to manage users in AWS, you must create a user profile in IAM that is designed for use by the instance.

Before you begin

Familiarize yourself with the AWS documentation on IAM. You must know how to create an IAM user and set up a user policy.

Procedure

  1. Log in to the AWS Management Console and create a new user in IAM.
    You must have the access key automatically generated. You need this key when you configure AWS credentials in the instance.
  2. Save the Access Key ID and Secret Access Key.
  3. Open the user record in the instance for appropriate user.
  4. Define a user policy in AWS using either of the following methods:
    • Grant Administrator Access to the instance, which is essentially the same access that would be granted to the instance if you were not using IAM and simply used your AWS account Access Key ID and Secret Access Key. Attach the AdministratorAccess policy to the user profile.
      Note: If you want to create a user policy that only supports Discovery rather than the provisioning of cloud resources, attach the ReadOnlyAccess policy instead.
    • Create a custom policy with a descriptive name and the following code in the Policy Document field in the user policy:
      {
          "Version": "2012-10-17",
          "Statement": [{
              "Action": "cloudfront:*",
              "Effect": "Allow",
              "Resource": "*"
          }, {
              "Action": "s3:*",
              "Effect": "Allow",
              "Resource": "arn:aws:s3:::*"
          }, {
              "Action": "elasticloadbalancing:*",
              "Effect": "Allow",
              "Resource": "*"
          }, {
              "Action": "sqs:*",
              "Effect": "Allow",
              "Resource": "arn:aws:sqs:*"
          }, {
              "Action": "rds:*",
              "Effect": "Allow",
              "Resource": "*"
          }, {
              "Action": "sns:*",
              "Effect": "Allow",
              "Resource": "arn:aws:sns:*"
          }, {
              "Action": "ec2:*",
              "Effect": "Allow",
              "Resource": "*"
          }, {
              "Action": "cloudformation:*",
              "Effect": "Allow",
              "Resource": "*"
          }, {
              "Action": "directconnect:*",
              "Effect": "Allow",
              "Resource": "*"
          }, {
              "Action": "route53:*",
      
              "Effect": "Allow",
              "Resource": "arn:aws:route53:::*"
          }, {
              "Action": ["iam:DeleteServerCertificate", "iam:GetServerCertificate", "iam:ListServerCertificates", "iam:UpdateServerCertificate", "iam:UploadServerCertificate"],
              "Effect": "Allow",
              "Resource": "arn:aws:iam::*:server-certificate\/*"
          }]
      }
      

What to do next

Create a service account with the AWS Account Number, the Access Key ID, and the Secret Access Key for the user you created in AWS.