Skip to main content
Cloud Volumes ONTAP
All cloud providers
  • Amazon Web Services
  • Google Cloud
  • Microsoft Azure
  • All cloud providers

Set up IAM roles for Cloud Volumes ONTAP

Contributors netapp-rlithman netapp-dbagwell netapp-bcammett netapp-manini

IAM roles with the required permissions must be attached to each Cloud Volumes ONTAP node. The same is true for the HA mediator. It's easiest to let BlueXP create the IAM roles for you, but you can use your own roles.

This task is optional. When you create a Cloud Volumes ONTAP working environment, the default option is to let BlueXP create the IAM roles for you. If your business's security policies require you to create the IAM roles yourself, then follow the steps below.

Note Providing your own IAM role is required in AWS Secret Cloud. Learn how to deploy Cloud Volumes ONTAP in C2S.
Steps
  1. Go to the AWS IAM console.

  2. Create IAM policies that include the following permissions:

    • Base policy for Cloud Volumes ONTAP nodes

      Standard regions
      {
      	"Version": "2012-10-17",
      	"Statement": [{
      			"Action": "s3:ListAllMyBuckets",
      			"Resource": "arn:aws:s3:::*",
      			"Effect": "Allow"
      		}, {
      			"Action": [
      				"s3:ListBucket",
      				"s3:GetBucketLocation"
      			],
      			"Resource": "arn:aws:s3:::fabric-pool-*",
      			"Effect": "Allow"
      		}, {
      			"Action": [
      				"s3:GetObject",
      				"s3:PutObject",
      				"s3:DeleteObject"
      			],
      			"Resource": "arn:aws:s3:::fabric-pool-*",
      			"Effect": "Allow"
      		}
      	]
      }
      GovCloud (US) regions
      {
          "Version": "2012-10-17",
          "Statement": [{
              "Action": "s3:ListAllMyBuckets",
              "Resource": "arn:aws-us-gov:s3:::*",
              "Effect": "Allow"
          }, {
              "Action": [
                  "s3:ListBucket",
                  "s3:GetBucketLocation"
              ],
              "Resource": "arn:aws-us-gov:s3:::fabric-pool-*",
              "Effect": "Allow"
          }, {
              "Action": [
                  "s3:GetObject",
                  "s3:PutObject",
                  "s3:DeleteObject"
              ],
              "Resource": "arn:aws-us-gov:s3:::fabric-pool-*",
              "Effect": "Allow"
          }]
      }
      Top Secret regions
      {
          "Version": "2012-10-17",
          "Statement": [{
              "Action": "s3:ListAllMyBuckets",
              "Resource": "arn:aws-iso:s3:::*",
              "Effect": "Allow"
          }, {
              "Action": [
                  "s3:ListBucket",
                  "s3:GetBucketLocation"
              ],
              "Resource": "arn:aws-iso:s3:::fabric-pool-*",
              "Effect": "Allow"
          }, {
              "Action": [
                  "s3:GetObject",
                  "s3:PutObject",
                  "s3:DeleteObject"
              ],
              "Resource": "arn:aws-iso:s3:::fabric-pool-*",
              "Effect": "Allow"
          }]
      }
      Secret regions
      {
          "Version": "2012-10-17",
          "Statement": [{
              "Action": "s3:ListAllMyBuckets",
              "Resource": "arn:aws-iso-b:s3:::*",
              "Effect": "Allow"
          }, {
              "Action": [
                  "s3:ListBucket",
                  "s3:GetBucketLocation"
              ],
              "Resource": "arn:aws-iso-b:s3:::fabric-pool-*",
              "Effect": "Allow"
          }, {
              "Action": [
                  "s3:GetObject",
                  "s3:PutObject",
                  "s3:DeleteObject"
              ],
              "Resource": "arn:aws-iso-b:s3:::fabric-pool-*",
              "Effect": "Allow"
          }]
      }
    • Backup policy for Cloud Volumes ONTAP nodes

      If you plan to use BlueXP backup and recovery with your Cloud Volumes ONTAP systems, the IAM role for the nodes must include the second policy shown below.

      Standard regions
      {
          "Version": "2012-10-17",
          "Statement": [
              {
                  "Action": [
                      "s3:ListBucket",
                      "s3:GetBucketLocation"
                  ],
                  "Resource": "arn:aws:s3:::netapp-backup*",
                  "Effect": "Allow"
              },
              {
                  "Action": [
                      "s3:GetObject",
                      "s3:PutObject",
                      "s3:DeleteObject",
                      "s3:ListAllMyBuckets",
                      "s3:PutObjectTagging",
                      "s3:GetObjectTagging",
                      "s3:RestoreObject",
                      "s3:GetBucketObjectLockConfiguration",
                      "s3:GetObjectRetention",
                      "s3:PutBucketObjectLockConfiguration",
                      "s3:PutObjectRetention"
                  ],
                  "Resource": "arn:aws:s3:::netapp-backup*/*",
                  "Effect": "Allow"
              }
          ]
      }
      GovCloud (US) regions
      {
          "Version": "2012-10-17",
          "Statement": [
              {
                  "Action": [
                      "s3:ListBucket",
                      "s3:GetBucketLocation"
                  ],
                  "Resource": "arn:aws-us-gov:s3:::netapp-backup*",
                  "Effect": "Allow"
              },
              {
                  "Action": [
                      "s3:GetObject",
                      "s3:PutObject",
                      "s3:DeleteObject",
                      "s3:ListAllMyBuckets",
                      "s3:PutObjectTagging",
                      "s3:GetObjectTagging",
                      "s3:RestoreObject",
                      "s3:GetBucketObjectLockConfiguration",
                      "s3:GetObjectRetention",
                      "s3:PutBucketObjectLockConfiguration",
                      "s3:PutObjectRetention"
                  ],
                  "Resource": "arn:aws-us-gov:s3:::netapp-backup*/*",
                  "Effect": "Allow"
              }
          ]
      }
      Top Secret regions
      {
          "Version": "2012-10-17",
          "Statement": [
              {
                  "Action": [
                      "s3:ListBucket",
                      "s3:GetBucketLocation"
                  ],
                  "Resource": "arn:aws-iso:s3:::netapp-backup*",
                  "Effect": "Allow"
              },
              {
                  "Action": [
                      "s3:GetObject",
                      "s3:PutObject",
                      "s3:DeleteObject",
                      "s3:ListAllMyBuckets",
                      "s3:PutObjectTagging",
                      "s3:GetObjectTagging",
                      "s3:RestoreObject",
                      "s3:GetBucketObjectLockConfiguration",
                      "s3:GetObjectRetention",
                      "s3:PutBucketObjectLockConfiguration",
                      "s3:PutObjectRetention"
                  ],
                  "Resource": "arn:aws-iso:s3:::netapp-backup*/*",
                  "Effect": "Allow"
              }
          ]
      }
      Secret regions
      {
          "Version": "2012-10-17",
          "Statement": [
              {
                  "Action": [
                      "s3:ListBucket",
                      "s3:GetBucketLocation"
                  ],
                  "Resource": "arn:aws-iso-b:s3:::netapp-backup*",
                  "Effect": "Allow"
              },
              {
                  "Action": [
                      "s3:GetObject",
                      "s3:PutObject",
                      "s3:DeleteObject",
                      "s3:ListAllMyBuckets",
                      "s3:PutObjectTagging",
                      "s3:GetObjectTagging",
                      "s3:RestoreObject",
                      "s3:GetBucketObjectLockConfiguration",
                      "s3:GetObjectRetention",
                      "s3:PutBucketObjectLockConfiguration",
                      "s3:PutObjectRetention"
                  ],
                  "Resource": "arn:aws-iso-b:s3:::netapp-backup*/*",
                  "Effect": "Allow"
              }
          ]
      }
    • HA mediator

      {
      	"Version": "2012-10-17",
      	"Statement": [{
      			"Effect": "Allow",
      			"Action": [
      				"ec2:AssignPrivateIpAddresses",
      				"ec2:CreateRoute",
      				"ec2:DeleteRoute",
      				"ec2:DescribeNetworkInterfaces",
      				"ec2:DescribeRouteTables",
      				"ec2:DescribeVpcs",
      				"ec2:ReplaceRoute",
      				"ec2:UnassignPrivateIpAddresses",
                      "sts:AssumeRole",
                      "ec2:DescribeSubnets"
      			],
      			"Resource": "*"
      		}
      	]
      }
  3. Create an IAM role and attach the policies that you created to the role.

Result

You now have IAM roles that you can select when you create a new Cloud Volumes ONTAP working environment.