English

Adding AWS credentials and subscriptions in Cloud Manager

Contributors netapp-bcammett Download PDF of this topic

When you create a Cloud Volumes ONTAP system, you need to select the AWS credentials and subscription to use with that system. If you manage multiple AWS subscriptions, you can assign each one of them to different AWS credentials from the Credentials page.

Before you add AWS credentials to Cloud Manager, you need to provide the required permissions to that account. The permissions enable Cloud Manager to deploy and manage Cloud Volumes ONTAP in that AWS account. How you provide the permissions depends on whether you want to provide Cloud Manager with AWS keys or the ARN of a role in a trusted account.

When you deployed Cloud Manager from Cloud Central, Cloud Manager automatically added AWS credentials for the account in which you deployed Cloud Manager. This initial account is not added if you manually installed the Cloud Manager software on an existing system. Learn about AWS credentials and permissions.

Choices

How can I securely rotate my AWS credentials?

Cloud Manager enables you to provide AWS credentials in a few ways: an IAM role associated with the Cloud Manager instance, by assuming an IAM role in a trusted account, or by providing AWS access keys. Learn more about AWS credentials and permissions.

With the first two options, Cloud Manager uses the AWS Security Token Service to obtain temporary credentials that rotate constantly. This process is the best practice, it’s automatic and it’s secure.

If you provide Cloud Manager with AWS access keys, you should rotate the keys by updating them in Cloud Manager at a regular interval. This is a completely manual process.

Granting permissions by providing AWS keys

If you want to provide Cloud Manager with AWS keys for an IAM user, then you need to grant the required permissions to that user. The Cloud Manager IAM policy defines the AWS actions and resources that Cloud Manager is allowed to use.

Steps
  1. Download the Cloud Manager IAM policy from the Cloud Manager Policies page.

  2. From the IAM console, create your own policy by copying and pasting the text from the Cloud Manager IAM policy.

  3. Attach the policy to an IAM role or an IAM user.

Result

The account now has the required permissions. You can now add it to Cloud Manager.

Granting permissions by assuming IAM roles in other accounts

You can set up a trust relationship between the source AWS account in which you deployed the Cloud Manager instance and other AWS accounts by using IAM roles. You would then provide Cloud Manager with the ARN of the IAM roles from the trusted accounts.

Steps
  1. Go to the target account where you want to deploy Cloud Volumes ONTAP and create an IAM role by selecting Another AWS account.

    Be sure to do the following:

    • Enter the ID of the account where the Cloud Manager instance resides.

    • Attach the Cloud Manager IAM policy, which is available from the Cloud Manager Policies page.

      A screenshot that shows the Create role page in the AWS IAM Console. Under Select type of trusted entity

  2. Go to the source account where the Cloud Manager instance resides and select the IAM role that is attached to the instance.

    1. Click Attach policies and then click Create policy.

    2. Create a policy that includes the "sts:AssumeRole" action and the ARN of the role that you created in the target account.

      Example

      {
       "Version": "2012-10-17",
       "Statement": {
         "Effect": "Allow",
         "Action": "sts:AssumeRole",
         "Resource": "arn:aws:iam::ACCOUNT-B-ID:role/ACCOUNT-B-ROLENAME"
      }
      }
Result

The account now has the required permissions. You can now add it to Cloud Manager.

Adding AWS credentials to Cloud Manager

After you provide an AWS account with the required permissions, you can add the credentials for that account to Cloud Manager. This enables you to launch Cloud Volumes ONTAP systems in that account.

Steps
  1. In the upper right of the Cloud Manager console, click the Settings icon, and select Credentials.

    A screenshot that shows the Settings icon in the upper right of the Cloud Manager console.

  2. Click Add Credentials and select AWS.

  3. Provide AWS keys or the ARN of a trusted IAM role.

  4. Confirm that the policy requirements have been met and click Continue.

  5. Choose the pay-as-you-go subscription that you want to associate with the credentials, or click Add Subscription if you don’t have one yet.

    To create a pay-as-you-go Cloud Volumes ONTAP system, AWS credentials must be associated with a subscription to Cloud Volumes ONTAP from the AWS Marketplace.

  6. Click Go.

Result

You can now switch to a different set of credentials from the Details and Credentials page when creating a new working environment:

A screenshot that shows selecting between cloud provider accounts after clicking Switch Account in the Details & Credentials page.

Assigning an AWS subscription to credentials

If you haven’t yet added an AWS subscription to a set of AWS credentials, you can do so any time from the Credentials page. To create a pay-as-you-go Cloud Volumes ONTAP system, AWS credentials must be associated with a subscription to Cloud Volumes ONTAP from the AWS Marketplace.

Steps
  1. In the upper right of the Cloud Manager console, click the Settings icon, and select Credentials.

  2. Hover over a set of credentials and click the action menu.

  3. From the menu, click Add Subscription.

    A screenshot of the Credentials page where you can add a subscription to AWS credentials from the menu.

  4. Click Add Subscription, click Continue, and follow the steps.