Create a Connector in AWS from Cloud Manager

Contributors netapp-bcammett

An Account Admin needs to deploy a Connector before you can use most Cloud Manager features. Learn when a Connector is required. The Connector enables Cloud Manager to manage resources and processes within your public cloud environment.

This page describes how to create a Connector in AWS directly from Cloud Manager. Learn about other ways to deploy a Connector.

These steps must be completed by a user who has the Account Admin role. A Workspace Admin can’t create a Connector.

Tip When you create your first Cloud Volumes ONTAP working environment, Cloud Manager will prompt you to create a Connector if you don’t have one yet.

Set up AWS authentication

Cloud Manager needs to authenticate with AWS before it can deploy the Connector instance in your VPC. You can choose one of these authentication methods:

  • Let Cloud Manager assume an IAM role

  • Provide an AWS access key and secret key for an IAM user

The authentication method that you use must have the required permissions to deploy the Connector instance in AWS.

Set up an IAM role

Set up an IAM role that Cloud Manager can assume in order to deploy the Connector in AWS.

Steps
  1. Download the Connector IAM policy from the Cloud Manager Policies page.

    This policy includes the permissions needed to create a Connector in AWS. When Cloud Manager creates the Connector, it applies a new set of permissions to the Connector instance.

  2. Go to the AWS IAM console in the target account.

  3. Under Access Management, click Roles > Create Role and follow the steps to create the role.

    Be sure to do the following:

    • Under Trusted entity type, select AWS account.

    • Select Another AWS account and enter the ID of the Cloud Manager SaaS account: 952013314444

    • Create a policy that includes the permissions shown in the Connector IAM policy that you previously downloaded.

  4. Copy the Role ARN of the IAM role so that you can paste it in Cloud Manager when you create the Connector.

Result

The IAM role now has the required permissions.

Set up permissions for an IAM user

When you create a Connector, you can provide an AWS access key and secret key for an IAM user who has the required permissions to deploy the Connector instance.

Steps
  1. Download the Connector deployment policy from the Cloud Manager Policies page.

    This IAM policy includes the permissions needed to create a Connector in AWS. When Cloud Manager creates the Connector, it applies a new set of permissions to the Connector instance.

  2. From the AWS IAM console, create your own policy by copying and pasting the text from the Connector IAM policy.

  3. Attach the policy that you created in the previous step to the IAM user who will create the Connector from Cloud Manager.

  4. Ensure that you have access to an access key and secret key for the IAM user.

Result

The AWS user now has the permissions required to create the Connector from Cloud Manager. You’ll need to specify AWS access keys for this user when you’re prompted by Cloud Manager.

Create a Connector

Cloud Manager enables you to create a Connector in AWS directly from its user interface.

What you’ll need
  • An AWS authentication method: either the ARN of an IAM role that Cloud Manager can assume, or an AWS access key and secret key for an IAM user.

  • A VPC, subnet, and keypair in your AWS region of choice.

  • If you don’t want Cloud Manager to automatically create an IAM role for the Connector, then you’ll need to create your own using this policy.

    These are the permissions that the Connector needs to manage resources in your public cloud environment. It’s a different set of permissions than what you provided to create the Connector instance.

Steps
  1. If you’re creating your first Working Environment, click Add Working Environment and follow the prompts. Otherwise, click the Connector drop-down and select Add Connector.

    A screenshot that shows the Connector icon in the header and the Add Connector action.

  2. Choose Amazon Web Services as your cloud provider and click Continue.

    Remember that the Connector must have a network connection to the type of working environment that you’re creating and the services that you’re planning to enable.

  3. Follow the steps in the wizard to create the Connector:

    • Get Ready: Review what you’ll need.

    • AWS Credentials: Specify your AWS region and then choose an authentication method, which is either an IAM role that Cloud Manager can assume or an AWS access key and secret key.

      Tip If you choose Assume Role, you can create the first set of credentials from the Connector deployment wizard. Any additional set of credentials must be created from the Credentials page. They will then be available from the wizard in a drop-down list. Learn how to add additional credentials.
    • Details: Provide details about the Connector.

      • Enter a name for the instance.

      • Add custom tags (metadata) to the instance.

      • Choose whether you want Cloud Manager to create a new role that has the required permissions, or if you want to select an existing role that you set up with the required permissions.

      • Choose whether you want to encrypt the Connector’s EBS disks. You have the option to use the default encryption key or to use a custom key.

    • Network: Specify a VPC, subnet, and key pair for the instance, choose whether to enable a public IP address, and optionally specify a proxy configuration.

    • Security Group: Choose whether to create a new security group or whether to select an existing security group that allows inbound HTTP, HTTPS, and SSH access.

      Note There’s no incoming traffic to the Connector, unless you initiate it. HTTP and HTTPS provide access to the local UI, which you’ll use in rare circumstances. SSH is only needed if you need to connect to the host for troubleshooting.
    • Review: Review your selections to verify that your set up is correct.

  4. Click Add.

    The instance should be ready in about 7 minutes. You should stay on the page until the process is complete.

After you finish

You need to associate a Connector with workspaces so Workspace Admins can use those Connectors to create Cloud Volumes ONTAP systems. If you only have Account Admins, then associating the Connector with workspaces isn’t required. Account Admins have the ability to access all workspaces in Cloud Manager by default. Learn more.