AWS credentials and permissions
Contributors Download PDF of this topic
Cloud Manager enables you to choose the AWS credentials to use when deploying Cloud Volumes ONTAP. You can deploy all of your Cloud Volumes ONTAP systems using the initial AWS credentials, or you can add additional credentials.
Initial AWS credentials
When you deploy Cloud Manager from NetApp Cloud Central, you need to use an AWS account that has permissions to launch the Cloud Manager instance. The required permissions are listed in the NetApp Cloud Central policy for AWS.
When Cloud Central launches the Cloud Manager instance in AWS, it creates an IAM role and an instance profile for the instance. It also attaches a policy that provides Cloud Manager with permissions to deploy and manage Cloud Volumes ONTAP in that AWS account. Review how Cloud Manager uses the permissions.
Cloud Manager selects these AWS credentials by default when you create a new working environment:
Additional AWS credentials
If you want to launch Cloud Volumes ONTAP in different AWS accounts, then you can either provide AWS keys for an IAM user or the ARN of a role in a trusted account. The following image shows two additional accounts, one providing permissions through an IAM role in a trusted account and another through the AWS keys of an IAM user:
You would then add the account credentials to Cloud Manager by specifying the Amazon Resource Name (ARN) of the IAM role, or the AWS keys for the IAM user.
After you add another set of credentials, you can switch to them when creating a new working environment:
What about Marketplace deployments and on-prem deployments?
The sections above describe the recommended deployment method from NetApp Cloud Central. You can also deploy Cloud Manager in AWS from the AWS Marketplace and you can install Cloud Manager on-premises.
If you use the Marketplace, permissions are provided in the same way. You just need to manually create and set up the IAM role, and then provide permissions for any additional accounts.
For on-premises deployments, you can’t set up an IAM role for the Cloud Manager system, but you can provide permissions just like you would for additional AWS accounts.
How can I securely rotate my AWS credentials?
As described above, Cloud Manager enables you to provide AWS credentials in a few ways: an IAM role associated with the Cloud Manager instance, by assuming an IAM role in a trusted account, or by providing AWS access keys.
With the first two options, Cloud Manager uses the AWS Security Token Service to obtain temporary credentials that rotate constantly. This process is the best practice, it’s automatic and it’s secure.
If you provide Cloud Manager with AWS access keys, you should rotate the keys by updating them in Cloud Manager at a regular interval. This is a completely manual process.