Skip to main content
Amazon FSx for NetApp ONTAP

Set up permissions for FSx for ONTAP

Contributors netapp-rlithman
PDFs

To create or manage an FSx for ONTAP file system, you need to add AWS credentials in the NetApp Console by providing the ARN of an IAM role that gives the permissions needed to create an FSx for ONTAP system from the NetApp Console.

Why AWS credentials are required

AWS credentials are required to create and manage FSx for ONTAP systems from the NetApp Console. You can create new credentials or add them to an existing organization. Credentials allow you to manage AWS resources from the NetApp Console.

Credentials and permissions are managed by NetApp Workload Factory. Workload Factory is a life-cycle management platform designed to help users manage and improve VMware, EDA, and database workloads that run on Amazon FSx for NetApp ONTAP file systems. The NetApp Console and Workload Factory use the same set of AWS credentials and permissions. Storage is the storage management capability in Workload Factory and it is the only capability you need to turn on and add credentials for to create and manage your FSx for ONTAP file systems.

About this task

When adding new credentials for FSx for ONTAP from Storage in Workload Factory, you'll need to decide which permission policies you'd like to grant. To discover AWS resources like FSx for ONTAP file systems, you'll need view, planning, and analysis permissions. To deploy FSx for ONTAP file systems, you'll need file system creation and deletion permissions. You can do basic operations for FSx for ONTAP without permissions. Learn more about permissions.

New and existing AWS credentials are viewable from the Administration menu on the Credentials page.

A screenshot of the Administration menu and the Credentials option highlighted in the NetApp Console administration menu.

You can add credentials using two methods:

  • Manually: You create the IAM policy and the IAM role in your AWS account while adding credentials in Workload Factory.

  • Automatically: You capture a minimal amount of information about permissions and then use a CloudFormation stack to create the IAM policies and role for your credentials.

Add credentials to an account manually

You can manually add AWS credentials to the NetApp Console to give your account the permissions for managing workload capabilities you want to use, and an IAM role that is assigned to your account.

There are three parts to creating the credentials:

  • Select the services and permissions level that you would like to use and then create IAM policies from the AWS Management Console.

  • Create an IAM role from the AWS Management Console.

  • Enter a name and add the credentials in the NetApp Console.

To create or manage an FSx for ONTAP file system, you need to add AWS credentials in the NetApp Console by providing the ARN of an IAM role that gives Workload Factory the permissions needed to create an FSx for ONTAP file system.

Before you begin

You'll need to have credentials to log in to your AWS account.

Steps

  1. From the NetApp Console menu, select Administration and then Credentials.

  2. From the Organization credentials page, select Add credentials.

  3. Select Amazon Web Services, then FSx for ONTAP, and then Next.

  4. Select Add manually and then follow the steps below to fill out the three sections under Permissions configuration.

Step 1: Select the storage capability and create the IAM policy

In this section, you'll choose the storage capability to manage with these credentials, and the permissions for storage. You also have the option to select other workloads like Databases, GenAI, or VMware. Once you've made your selections, you'll need to copy the policy permissions for each selected workload from the Codebox and add them into the AWS Management Console within your AWS account to create the policies.

Steps

  1. From the Create permission policies section, enable each of the workload capabilities that you want to include in these credentials. Enable Storage to create and manage file systems.

    You can add additional capabilities later, so just select the workloads that you currently want to deploy and manage.

  2. For those workload capabilities that offer a choice of permission policies, select the type of permissions that will be available with these credentials. Learn about the permissions.

  3. Optional: Select Enable automatic permissions check to check if you have the required AWS account permissions to complete workload operations. Enabling the check adds the iam:SimulatePrincipalPolicy permission to your permission policies. The purpose of this permission is to confirm permissions only. You can remove the permission after adding credentials, but we suggest keeping it to stop resources from being created if some steps fail and to avoid manual cleanup.

  4. In the Codebox window, copy the permissions for the first IAM policy.

  5. Open another browser window and log in to your AWS account in the AWS Management Console.

  6. Open the IAM service, and then select Policies > Create Policy.

  7. Select JSON as the file type, paste the permissions you copied in step 4, and select Next.

  8. Enter the name for the policy and select Create Policy.

  9. If you've selected multiple workload capabilities in step 1, repeat these steps to create a policy for each set of workload permissions.

Step 2: Create the IAM role that uses the policies

In this section you'll set up an IAM role that Workload Factory will assume that includes the permissions and policies that you just created.

Steps

  1. In the AWS Management Console, select Roles > Create Role.

  2. Under Trusted entity type, select AWS account.

    1. Select Another AWS account and copy and paste the account ID for FSx for ONTAP workload management from the Console user interface.

    2. Select Required external ID and copy and paste the external ID in the NetApp Console user interface.

  3. Select Next.

  4. In the Permissions policy section, choose all the policies that you defined previously and select Next.

  5. Enter a name for the role and select Create role.

  6. Copy the Role ARN.

  7. Return to the Add credentials page in the NetApp Console, expand the Create role section, and paste the ARN in the Role ARN field.

Step 3: Enter a name and add the credentials

The final step is to enter a name for the credentials.

Steps

  1. From the Add credentials page, expand Credentials name.

  2. Enter the name that you want to use for these credentials.

  3. Select Add to create the credentials.

Result

Console creates the credentials and displays them on the Credentials page. You can use, rename, or remove credentials from the NetApp Console.

Add credentials to an account using CloudFormation

You can add AWS credentials to NetApp Workload Factory using an AWS CloudFormation stack by selecting the workload capabilities that you want to use, and then launching the AWS CloudFormation stack in your AWS account. CloudFormation will create the IAM policies and IAM role based on the workload capabilities you selected.

Before you begin

  • You'll need to have credentials to log in to your AWS account.

  • You'll need to have the following permissions in your AWS account when adding credentials using a CloudFormation stack:

    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "cloudformation:CreateStack",
        "cloudformation:UpdateStack",
        "cloudformation:DeleteStack",
        "cloudformation:DescribeStacks",
        "cloudformation:DescribeStackEvents",
        "cloudformation:DescribeChangeSet",
        "cloudformation:ExecuteChangeSet",
        "cloudformation:ListStacks",
        "cloudformation:ListStackResources",
        "cloudformation:GetTemplate",
        "cloudformation:ValidateTemplate",
        "lambda:InvokeFunction",
        "iam:PassRole",
        "iam:CreateRole",
        "iam:UpdateAssumeRolePolicy",
        "iam:AttachRolePolicy",
        "iam:CreateServiceLinkedRole"
      ],
      "Resource": "*"
    }
  ]
}
Steps

  1. From the NetApp Console menu, select Administration and then Credentials.

  2. Select Add credentials.

  3. Select Amazon Web Services, then FSx for ONTAP, and then Next.

    You're now on the Add Credentials page in NetApp Workload Factory.

  4. Select Add via AWS CloudFormation.

  5. Under Create policies, enable each of the workload capabilities that you want to include in these credentials and choose a permission level for each workload.

    You can add additional capabilities later, so just select the workloads that you currently want to deploy and manage.

  6. Optional: Select Enable automatic permissions check to check if you have the required AWS account permissions to complete workload operations. Enabling the check adds the iam:SimulatePrincipalPolicy permission to your permission policies. The purpose of this permission is to confirm permissions only. You can remove the permission after adding credentials, but we suggest keeping it to stop resources from being created if some steps fail and to avoid manual cleanup.

  7. Under Credentials name, enter the name that you want to use for these credentials.

  8. Add the credentials from AWS CloudFormation:

    1. Select Add (or select Redirect to CloudFormation) and the Redirect to CloudFormation page is displayed.

    2. If you use single sign-on (SSO) with AWS, open a separate browser tab and log in to the AWS Console before you select Continue.

      You should log in to the AWS account where the FSx for ONTAP file system resides.

    3. Select Continue from the Redirect to CloudFormation page.

    4. On the Quick create stack page, under Capabilities, select I acknowledge that AWS CloudFormation might create IAM resources.

    5. Select Create stack.

    6. Return to Administration > Credentials page from the main menu to verify that the new credentials are in progress, or that they have been added.

Result

Console creates the credentials and displays them on the Credentials page. You can use, rename, or remove credentials from the NetApp Console.