Skip to main content
BlueXP setup and administration

Manage AWS credentials and marketplace subscriptions for BlueXP

Contributors netapp-bcammett netapp-tonias netapp-rlithman
PDFs

Add and manage AWS credentials so that you deploy and manage cloud resources in your AWS accounts from BlueXP. If you manage multiple AWS Marketplace subscriptions, you can assign each one of them to different AWS credentials from the Credentials page.

Overview

You can add AWS credentials to an existing Connector or directly to BlueXP:

How to rotate credentials

BlueXP enables you to provide AWS credentials in a few ways: an IAM role associated with the Connector instance, by assuming an IAM role in a trusted account, or by providing AWS access keys. Learn more about AWS credentials and permissions.

With the first two options, BlueXP uses the AWS Security Token Service to obtain temporary credentials that rotate constantly. This process is the best practice because it's automatic and it's secure.

Rotate AWS access keys regularly by updating them in BlueXP. This process is manual.

Add additional credentials to a Connector

Add additional AWS credentials to a Connector so that it has the permissions needed to manage resources and processes within your public cloud environment. You can either provide the ARN of an IAM role in another account or provide AWS access keys.

If you're just getting started with BlueXP, Learn how BlueXP uses AWS credentials and permissions.

Grant permissions

Provide required permissions before adding AWS credentials to a Connector. The permissions allow the Connector to manage resources and processes within that AWS account. You can provide the permissions with the the ARN of a role in a trusted account or AWS keys.

Note If you deployed a Connector from BlueXP, BlueXP automatically added AWS credentials for the account in which you deployed the Connector. This ensures the necessary permissions are in place for managing resources. Learn about AWS credentials and permissions.

Choices

Grant permissions by assuming an IAM role in another account

You can set up a trust relationship between the source AWS account in which you deployed the Connector instance and other AWS accounts by using IAM roles. You would then provide BlueXP with the ARN of the IAM roles from the trusted accounts.

If the Connector is installed on-premises, you can't use this authentication method. You must use AWS keys.

Steps

  1. Go to the IAM console in the target account in which you want to provide the Connector with permissions.

  2. Under Access Management, select Roles > Create Role and follow the steps to create the role.

    Be sure to do the following:

    • Under Trusted entity type, select AWS account.

    • Select Another AWS account and enter the ID of the account where the Connector instance resides.

    • Create the required policies by copying and pasting the contents of the IAM policies for the Connector.

  3. Copy the Role ARN of the IAM role so that you can paste it in BlueXP later on.

Result

The account now has the required permissions. You can now add the credentials to a Connector.

Grant permissions by providing AWS keys

If you want to provide BlueXP with AWS keys for an IAM user, then you need to grant the required permissions to that user. The BlueXP IAM policy defines the AWS actions and resources that BlueXP is allowed to use.

You must use this authentication method if the Connector is installed on-premises. You can't use an IAM role.

Steps

  1. From the IAM console, create policies by copying and pasting the contents of the IAM policies for the Connector.

    AWS Documentation: Creating IAM Policies

  2. Attach the policies to an IAM role or an IAM user.

Result

The account now has the required permissions. You can now add the credentials to a Connector.

Add the credentials

After you provide an AWS account with the required permissions, you can add the credentials for that account to an existing Connector. This enables you to launch Cloud Volumes ONTAP systems in that account using the same Connector.

Before you begin

If you just created these credentials in your cloud provider, it might take a few minutes until they are available for use. Wait a few minutes and then add you add the credentials.

Steps

  1. Use the top navigation bar to elect the Connector to which you want to add credentials.

  2. In the upper right of the console, select the Settings icon, and select Credentials.

    A screenshot that shows the Settings icon in the upper right of the BlueXP console.

  3. On the Organization credentials or Account credentials page, select Add Credentials and follow the steps in the wizard.

    1. Credentials Location: Select Amazon Web Services > Connector.

    2. Define Credentials: Provide the ARN (Amazon Resource Name) of a trusted IAM role, or enter an AWS access key and secret key.

    3. Marketplace Subscription: Associate a Marketplace subscription with these credentials by subscribing now or by selecting an existing subscription.

      To pay for services at an hourly rate (PAYGO) or with an annual contract, you must associate AWS credentials with your AWS Marketplace subscription.

    4. Review: Confirm the details about the new credentials and select Add.

Result

You can now switch to a different set of credentials from the Details and Credentials page when creating a new working environment:

A screenshot that shows selecting between cloud provider accounts after selecting Switch Account in the Details & Credentials page.

Add credentials to BlueXP for creating a Connector

Add AWS credentials by providing the ARN of an IAM role that gives the permissions needed to create a Connector. You can choose these credentials when creating a new Connector.

Set up the IAM role

Set up an IAM role that enables the BlueXP software as a service (SaaS) layer to assume the role.

Steps

  1. Go to the IAM console in the target account.

  2. Under Access Management, select Roles > Create Role and follow the steps to create the role.

    Be sure to do the following:

    • Under Trusted entity type, select AWS account.

    • Select Another AWS account and enter the ID of the BlueXP SaaS: 952013314444

    • For Amazon FSx for NetApp ONTAP specifically, edit the Trust relationships policy to include "AWS": "arn:aws:iam::952013314444:root".

      For example, the policy should look like this:

      {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::952013314444:root",
        "Service": "ec2.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

      Refer to AWS Identity and Access Management (IAM) documentation for more information on cross account resource access in IAM.

    • Create a policy that includes the permissions required to create a Connector.

  3. Copy the Role ARN of the IAM role so that you can paste it in BlueXP in the next step.

Result

The IAM role now has the required permissions. You can now add it to BlueXP.

Add the credentials

After you provide the IAM role with the required permissions, add the role ARN to BlueXP.

Before you begin

If you just created the IAM role, it might take a few minutes until they are available for use. Wait a few minutes before you add the credentials to BlueXP.

Steps

  1. In the upper right of the BlueXP console, select the Settings icon, and select Credentials.

    A screenshot that shows the Settings icon in the upper right of the BlueXP console.

  2. On the Organization credentials or Account credentials page, select Add Credentials and follow the steps in the wizard.

    1. Credentials Location: Select Amazon Web Services > BlueXP.

    2. Define Credentials: Provide the ARN (Amazon Resource Name) of the IAM role.

    3. Review: Confirm the details about the new credentials and select Add.

Add credentials to BlueXP for Amazon FSx for ONTAP

For details, refer to the BlueXP documentation for Amazon FSx for ONTAP

Configure an AWS subscription

After you add your AWS credentials, you can configure an AWS Marketplace subscription with those credentials. The subscription enables you to pay for Cloud Volumes ONTAP at an hourly rate (PAYGO) or using an annual contract, and to pay for other data services.

There are two scenarios in which you might configure an AWS Marketplace subscription after you've already added the credentials:

  • You didn't configure a subscription when you initially added the credentials.

  • You want to change the AWS Marketplace subscription that is configured to the AWS credentials.

    Replacing the current marketplace subscription with a new subscription changes the marketplace subscription for any existing Cloud Volumes ONTAP working environments and all new working environments.

Before you begin

You need to create a Connector before you can configure a subscription. Learn how to create a Connector.

The following video shows the steps to subscribe to NetApp Intelligent Services from the AWS Marketplace:

Subscribe to NetApp Intelligent Services from the AWS Marketplace
Steps

  1. In the upper right of the BlueXP console, select the Settings icon, and select Credentials.

  2. Select the action menu for a set of credentials and then select Configure Subscription.

    You must select credentials that are associated with a Connector. You can't associate a marketplace subscription with credentials that are associated with BlueXP.

    A screenshot of the action menu for a set of existing credentials.

  3. To associate the credentials with an existing subscription, select the subscription from the down-down list and select Configure.

  4. To associate the credentials with a new subscription, select Add Subscription > Continue and follow the steps in the AWS Marketplace:

    1. Select View purchase options.

    2. Select Subscribe.

    3. Select Set up your account.

      You'll be redirected to the BlueXP website.

    4. From the Subscription Assignment page:

      • Select the BlueXP organizations or accounts that you'd like to associate this subscription with.

      • In the Replace existing subscription field, choose whether you'd like to automatically replace the existing subscription for one organization or account with this new subscription.

        BlueXP replaces the existing subscription for all credentials in the organization or account with this new subscription. If a set of credentials wasn't ever associated with a subscription, then this new subscription won't be associated with those credentials.

        For all other organizations or accounts, you'll need to manually associate the subscription by repeating these steps.

      • Select Save.

Associate an existing subscription with your organization or account

When you subscribe to from the AWS Marketplace, the last step in the process is to associate the subscription with your organization. If you didn't complete this step, then you can't use the subscription with your organization or account.

Follow the steps below if you subscribed to NetApp intelligent data services from the AWS Marketplace, but you missed the step to associate the subscription with your account.

Steps

  1. Go to the digital wallet to confirm that you didn't associate your subscription with your BlueXP organization or account.

    1. From the navigation menu, select Governance > Digital wallet.

    2. Select Subscriptions.

    3. Verify that your subscription doesn't appear.

      You'll only see the subscriptions that are associated with the organization or account that you're currently viewing. If you don't see your subscription, proceed with the following steps.

  2. Log in to the AWS Console and navigate to AWS Marketplace Subscriptions.

  3. Find the NetApp Intelligent Data Services subscription.

    A screenshot of the AWS Marketplace showing a NetApp subscription.

  4. Select Set up product.

    The subscription offer page should load in a new browser tab or window.

  5. Select Set up your account.

    A screenshot of the AWS Marketplace showing a NetApp subscription and the Set up your account option that appears in the top right of the page.

    The Subscription Assignment page on netapp.com should load in a new browser tab or window.

    Note that you might be prompted to log in to BlueXP first.

  6. From the Subscription Assignment page:

    • Select the BlueXP organizations or accounts that you'd like to associate this subscription with.

    • In the Replace existing subscription field, choose whether you'd like to automatically replace the existing subscription for one organization or account with this new subscription.

      BlueXP replaces the existing subscription for all credentials in the organization or account with this new subscription. If a set of credentials wasn't ever associated with a subscription, then this new subscription won't be associated with those credentials.

      For all other organizations or accounts, you'll need to manually associate the subscription by repeating these steps.

      A screenshot of the Subscription Assignment page that enables you to choose the exact BlueXP accounts to associate with this subscription.

  7. Go to the digital wallet to confirm that the subscription is associated with your organization or account.

    1. From the navigation menu, select Governance > Digital wallet.

    2. Select Subscriptions.

    3. Verify that your subscription appears.

  8. Confirm that the subscription is associated with your AWS credentials.

    1. In the upper right of the console, select the Settings icon, and select Credentials.

    2. On the Organization credentials or Account credentials page, verify that the subscription is associated with your AWS credentials.

      Here's an example.

      A screenshot of the BlueXP Account credentials page that shows AWS credentials that includes a subscription field which identifies the name of the subscription that is associated with the credentials.

Edit credentials

Edit your AWS credentials by changing the account type (AWS keys or assume role), by editing the name, or by updating the credentials themselves (the keys or the role ARN).

Note You can't edit the credentials for an instance profile that is associated with a Connector instance or an Amazon FSx for ONTAP instance. You can only rename the credentials for an FSx for ONTAP instance.
Steps

  1. In the upper right of the console, select the Settings icon, and select Credentials.

  2. On the Organization credentials or Account credentials page, select the action menu for a set of credentials and then select Edit Credentials.

  3. Make the required changes and then select Apply.

Delete credentials

If you no longer need a set of credentials, you can delete them. You can only delete credentials that aren't associated with a working environment.

Tip You can't delete the credentials for an instance profile that is associated with a Connector instance.
Steps

  1. In the upper right of the console, select the Settings icon, and select Credentials.

  2. On the Organization credentials or Account credentials page, select the action menu for a set of credentials and then select Delete Credentials.

  3. Select Delete to confirm.