IAM Role

Identity and Access Management (IAM) Role and Security Token Service (STS) are supported by the CloudCenter platform.

Feature Depedency

These two features are dependent on the CCO being launched (and establishing a trust relationship in AWS) using an IAM role. See http://docs.aws.amazon.com for additional details.

To use IAM roles, you must launch the CCO VM using the admin role so you can use the IAM role at any point in the future. Launching a CCO VM with the admin role allows you to use either the IAM role or the classic key/secret key access at any time.

For IAM role-based accounts, the CloudCenter platform requires the EC2fullAccess role (minimum requirement). If using the CloudCenter RDS out-of-box service, your account additionally requires RDSfullAccess as well.

The CloudCenter platform requires that you launch a PaaS service using a non-IAM cloud account.

You cannot launch an AWS PaaS service using an IAM cloud account!

Instead of specifying the access key and secret key and so forth, you can manage instance types by using an IAM role. By default, this feature is disabled and you must explicitly enable the IAM role by toggling this button to ON when you configure an AWS Cloud.

Tips to use IAM roles in the CloudCenter platform:

  • You can launch RDS instances using IAM role-based accounts if you meet the following requirements:

    • If a Docker container is not part of the CCO, then you must assign the Docker container VM to the same IAM role as the CCO server.

    • Be sure to attach the following sts:GetFederationToken custom policy to IAM roles (with RDSfullAccess):

      {
          "Version": "2012-10-17",
          "Statement": [{
              "Effect": "Allow",
              "Action": ["sts:GetFederationToken"],
              "Resource": "*"
          }]
      }
  • You can assign an AWS ARN in the instance profile field in the Deployment Environments form by adding the iam:PassRole to the role used to launch the CCO VM.

    {
        "Version": "2012-10-17",
        "Statement": [{
            "Effect": "Allow",
            "Action": ["iam:PassRole"],
            "Resource": "*"
        }]
    }

Back to: AWS Configurations


© 2017-2019 Cisco Systems, Inc. All rights reserved