Skip to main content
Amazon FSx for NetApp ONTAP

Set up permissions for FSx for ONTAP

Contributors juliantap netapp-bcammett

To create or manage an FSx for ONTAP working environment, you need to add AWS credentials to BlueXP by providing the ARN of an IAM role that gives BlueXP the permissions needed to create an FSx for ONTAP working environment.

Set up the IAM role

Set up an IAM role that enables BlueXP to assume the role.

Steps
  1. Go to the IAM console in the target account.

  2. Grant BlueXP access to the AWS account. Under Access Management, click Roles > Create Role and follow the steps to create the role.

    • Under Trusted entity type, select AWS account.

    • Select Another AWS account and enter the BlueXP Account ID:

      • For BlueXP SaaS: 952013314444

      • For AWS GovCloud (US): 033442085313

        Note For increased security, we suggest you specify an External ID. To access your AWS account, BlueXP will have to provide the role ARN (Amazon Resource Name) and the external ID you specified. This prevents the confused deputy problem.
  3. Create a policy that includes the following required minimum permissions and optional permissions, as needed.

    Required permissions

    The following minimum permissions are required to allow BlueXP to create your FSx for NetApp ONTAP file system.

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "VisualEditor0",
                "Effect": "Allow",
                "Action": [
                    "fsx:*",
                    "ec2:Describe*",
                    "ec2:CreateTags",
                    "iam:CreateServiceLinkedRole",
                    "kms:Describe*",
                    "kms:List*",
                    "kms:CreateGrant"
                ],
                "Resource": "*"
            }
        ]
    }
    Automatic capacity

    The following additional permissions are required to enable automatic capacity management.

    "cloudwatch:GetMetricData",
    "cloudwatch:GetMetricStatistics"
    Security groups

    The following additional permissions are required to allow BlueXP to generate security groups.

    "ec2:AuthorizeSecurityGroupEgress",
    "ec2:AuthorizeSecurityGroupIngress",
    "ec2:RevokeSecurityGroupEgress",
    "ec2:RevokeSecurityGroupIngress",
    "ec2:CreateSecurityGroup",
    "ec2:DeleteSecurityGroup",
    "cloudformation:CreateStack",
    "cloudformation:ValidateTemplate",
    "cloudformation:DescribeStacks",
    "cloudformation:DescribeStackEvents"
  4. Copy the role ARN of the IAM role so that you can paste it in BlueXP in the next step.

Result

The IAM role now has the required permissions.

Add the credentials

After you provide the IAM role with the required permissions, add the role ARN to BlueXP.

Before you get started

If you just created the IAM role, wait a few minutes for the new credentials to become available.

Steps
  1. In the upper right of the BlueXP console, click the Settings icon, and select Credentials.

    A screenshot that shows the Settings icon in the upper right of the BlueXP console.

  2. Click Add Credentials and follow the steps in the wizard.

    1. Credentials Location: Select Amazon Web Services > BlueXP.

    2. Define Credentials: Provide a Credentials name and the Role ARN and External ID (if specified) you created when you Set up the IAM role.

      Note
      • If you use an AWS GovCloud (US) account, check I use an AWS GovCloud (US) account.

        A screenshot of the GovCloud (US) account checkbox.

      • Authenticating using AWS GovCloud will disable the SaaS platform. This is a permanent change to your account and cannot be undone.

    3. Review: Confirm the details about the new credentials and click Add.

Result

You can now use the credentials when creating an FSx for ONTAP working environment.