All BlueXP documentation

Permissions summary for BlueXP

06/05/2023

In order to use the features and services in BlueXP, you’ll need to provide permissions so that BlueXP can perform operations in your cloud environment. Use the links on this page to quickly access the permissions that you need based on your goal.

AWS permissions

Purpose	Description	Link
Connector deployment from BlueXP	The user who creates a Connector from BlueXP needs specific permissions to deploy the instance in AWS.	Set up AWS permissions
Connector operation	When BlueXP launches the Connector, it attaches a policy to the instance that provides the permissions required to manage resources and processes in your AWS account. You need to set up the policy yourself if you launch a Connector from the marketplace, manually install the Connector, or if you add more AWS credentials to a Connector. You also need to ensure that the policy is up to date as new permissions are added in subsequent releases.	AWS permissions for the Connector
Cloud Volumes ONTAP operation	An IAM role must be attached to each Cloud Volumes ONTAP node in AWS. The same is true for the HA mediator. The default option is to let BlueXP create the IAM roles for you, but you can use your own.	Learn how to set up the IAM roles yourself

Purpose

Description

Link

Connector deployment from BlueXP

The user who creates a Connector from BlueXP needs specific permissions to deploy the instance in AWS.

Set up AWS permissions

Connector operation

When BlueXP launches the Connector, it attaches a policy to the instance that provides the permissions required to manage resources and processes in your AWS account.

You need to set up the policy yourself if you launch a Connector from the marketplace, manually install the Connector, or if you add more AWS credentials to a Connector.

You also need to ensure that the policy is up to date as new permissions are added in subsequent releases.

AWS permissions for the Connector

Cloud Volumes ONTAP operation

An IAM role must be attached to each Cloud Volumes ONTAP node in AWS. The same is true for the HA mediator. The default option is to let BlueXP create the IAM roles for you, but you can use your own.

Learn how to set up the IAM roles yourself

Azure permissions

Purpose	Description	Link
Connector deployment from BlueXP	When you deploy a Connector from BlueXP, you need to use an Azure account or service principal that has permissions to deploy the Connector VM in Azure.	Set up Azure permissions
Connector operation	When BlueXP deploys the Connector VM in Azure, it creates a custom role that provides the permissions required to manage resources and processes within that Azure subscription. You need to set up the custom role yourself if you launch a Connector from the marketplace, manually install the Connector, or if you add more Azure credentials to a Connector. You also need to ensure that the policy is up to date as new permissions are added in subsequent releases.	Azure permissions for the Connector

Purpose

Description

Link

Connector deployment from BlueXP

When you deploy a Connector from BlueXP, you need to use an Azure account or service principal that has permissions to deploy the Connector VM in Azure.

Set up Azure permissions

Connector operation

When BlueXP deploys the Connector VM in Azure, it creates a custom role that provides the permissions required to manage resources and processes within that Azure subscription.

You need to set up the custom role yourself if you launch a Connector from the marketplace, manually install the Connector, or if you add more Azure credentials to a Connector.

You also need to ensure that the policy is up to date as new permissions are added in subsequent releases.

Azure permissions for the Connector

Google Cloud permissions

Purpose	Description	Link
Connector deployment	The Google Cloud user who deploys a Connector from BlueXP needs specific permissions to deploy the Connector in Google Cloud.	Set up permissions to deploy the Connector
Connector operation	The service account for the Connector VM instance must have specific permissions for day-to-day operations. You need to associate the service account with the Connector when you deploy it from BlueXP. You also need to ensure that the policy is up to date as new permissions are added in subsequent releases.	Google Cloud permissions for the Connector

Purpose

Description

Link

Connector deployment

The Google Cloud user who deploys a Connector from BlueXP needs specific permissions to deploy the Connector in Google Cloud.

Set up permissions to deploy the Connector

Connector operation

The service account for the Connector VM instance must have specific permissions for day-to-day operations. You need to associate the service account with the Connector when you deploy it from BlueXP.

You also need to ensure that the policy is up to date as new permissions are added in subsequent releases.

Google Cloud permissions for the Connector

Creating your file...

Permissions summary for BlueXP

AWS permissions

Azure permissions

Google Cloud permissions