Set up permissions for FSx for ONTAP

To create or manage an Amazon FSx for NetApp ONTAP working environment, you need to add AWS credentials to BlueXP by providing the ARN of an IAM role that gives BlueXP the permissions needed to create an FSx for ONTAP working environment.

Set up the IAM role

Set up an IAM role that enables BlueXP to assume the role.

Steps

  1. Go to the IAM console in the target account.

  2. Under Access Management, click Roles > Create Role and follow the steps to create the role.

    • Under Trusted entity type, select AWS account.

    • Select Another AWS account and enter the ID of BlueXP.

      • For BlueXP SaaS: 952013314444

      • For AWS GovCloud (US): 033442085313

    • Create a policy that includes the following required minimum permissions and optional permissions, as needed.

      Required permissions

      The following minimum permissions are required to allow BlueXP to create your FSx for NetApp ONTAP file system.

      {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "fsx:*",
                "ec2:Describe*",
                "ec2:CreateTags",
                "iam:CreateServiceLinkedRole",
                "kms:Describe*",
                "kms:List*",
                "kms:CreateGrant"
            ],
            "Resource": "*"
        }
    ]
}
      Automatic capacity

      The following additional permissions are required to enable automatic capacity management.

      "cloudwatch:GetMetricData",
"cloudwatch:GetMetricStatistics"
      Security groups

      The following additional permissions are required to allow BlueXP to generate security groups.

      "ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:RevokeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress",
"ec2:CreateSecurityGroup",
"ec2:DeleteSecurityGroup"
"cloudformation:CreateStack",
"cloudformation:ValidateTemplate",
"cloudformation:DescribeStacks",
"cloudformation:DescribeStackEvents"

  3. Copy the Role ARN of the IAM role so that you can paste it in BlueXP in the next step.

Result

The IAM role now has the required permissions.

Add the credentials

After you provide the IAM role with the required permissions, add the role ARN to BlueXP.

Before you get started

If you just created the IAM role, it might take a few minutes until they are available for use. Wait a few minutes before you add the credentials to BlueXP.

Steps

  1. In the upper right of the BlueXP console, click the Settings icon, and select Credentials.

    A screenshot that shows the Settings icon in the upper right of the BlueXP console.

  2. Click Add Credentials and follow the steps in the wizard.

    1. Credentials Location: Select Amazon Web Services > BlueXP.

    2. Define Credentials: Provide the ARN (Amazon Resource Name) of the IAM role.

      Note

      • If you use an AWS GovCloud (US) account, check I use an AWS GovCloud (US) account.

        A screenshot of the GovCloud (US) account checkbox.

      • Authenticating using AWS GovCloud will disable the SaaS platform. This is a permanent change to your account and cannot be undone.

    3. Review: Confirm the details about the new credentials and click Add.

Result

You can now use the credentials when creating an FSx for ONTAP working environment.