Cloud Provider Accounts and permissions Edit on GitHub Request doc changes

Cloud Manager enables you to choose the Cloud Provider Account in which you want to deploy a Cloud Volumes ONTAP system. You should understand the permissions requirements before you add the accounts to Cloud Manager.

AWS accounts and permissions

You can deploy all of your Cloud Volumes ONTAP systems in the initial AWS account, or you can set up additional accounts.

The initial AWS account

When you deploy Cloud Manager from NetApp Cloud Central, you need to use an AWS account that has permissions to launch the Cloud Manager instance. The required permissions are listed in the Cloud Central policy for AWS.

When Cloud Central launches the Cloud Manager instance in AWS, it creates an IAM role and an instance profile for the instance. It also attaches a policy that provides Cloud Manager with permissions to deploy and manage Cloud Volumes ONTAP in that AWS account.

A conceptual image that shows Cloud Central deploying Cloud Manager in an AWS account. An IAM policy is assigned to an IAM role

Cloud Manager selects this Cloud Provider Account by default when you create a new working environment:

A screenshot that shows the Switch Account option in the Details & Credentials page.

Additional AWS accounts

If you want to launch Cloud Volumes ONTAP in different AWS accounts, then you can either provide AWS keys for an IAM user or the ARN of a role in a trusted account. The following image shows two additional accounts, one providing permissions through an IAM role in a trusted account and another through the AWS keys of an IAM user:

A conceptual image that shows two additional accounts. Each has an IAM policy

You would then add the Cloud Provider Accounts to Cloud Manager by specifying the Amazon Resource Name (ARN) of the IAM role, or the AWS keys for the IAM user.

After you add another account, you can switch to it when creating a new working environment:

A screenshot that shows selecting between Cloud Provider Accounts after clicking Switch Account in the Details & Credentials page.

Azure accounts and permissions

You can deploy all of your Cloud Volumes ONTAP systems in the initial Azure account, or you can set up additional accounts.

The initial Azure account

When you deploy Cloud Manager from NetApp Cloud Central, you need to use an Azure account that has permissions to deploy the Cloud Manager virtual machine. The required permissions are listed in the Cloud Central policy for Azure.

When Cloud Central deploys the Cloud Manager virtual machine in Azure, it enables a Managed Service Identity on the Cloud Manager virtual machine, creates a custom role, and assigns it to the virtual machine. The role provides Cloud Manager with permissions to deploy and manage Cloud Volumes ONTAP in that Azure subscription.

A conceptual image that shows Cloud Central deploying Cloud Manager in an Azure account and subscription. A Managed Service Identity is enabled and a custom role is assigned to the Cloud Manager virtual machine.

Cloud Manager selects this Cloud Provider Account by default when you create a new working environment:

A screenshot that shows the Switch Account option in the Details & Credentials page.

Additional Azure subscriptions for the initial account

The Managed Service Identity is associated with the subscription in which you launched Cloud Manager. If you want to select a different Azure subscription, then you need to associate the Managed Service Identity with those subscriptions.

Additional Azure accounts

If you want to deploy Cloud Volumes ONTAP in different Azure accounts, then you must grant the required permissions by creating and setting up a service principal in Azure Active Directory for each Azure account. The following image shows two additional accounts, each set up with a service principal and custom role that provides permissions:

A conceptual image that shows the initial Azure account

You would then add the Cloud Provider Accounts to Cloud Manager by providing details about the AD service principal.

After you add another account, you can switch to it when creating a new working environment:

A screenshot that shows selecting between Cloud Provider Accounts after clicking Switch Account in the Details & Credentials page.

What about Marketplace deployments and on-prem deployments?

The sections above describe the recommended deployment method from NetApp Cloud Central. You can also deploy Cloud Manager from the AWS or Azure Marketplaces and you can install Cloud Manager on-premises.

If you use either of the Marketplaces, permissions are provided in the same way. You just need to manually create and set up the IAM role or Managed Service Identity for Cloud Manager, and then provide permissions for any additional accounts.

For on-premises deployments, you can’t set up an IAM role or Managed Service Identity for the Cloud Manager system, but you can provide permissions just like you would for additional accounts.