Set up permissions for FSx for ONTAP

Contributors juliantap

To create or manage an Amazon FSx for ONTAP working environment, you need an AWS access key and secret key for an IAM user with FSx for ONTAP permissions. These permissions are different from the permissions required to create a Connector in AWS.

To grant FSx for ONTAP permissions to a user, you need to create a new IAM policy or edit an exiting policy. You can then attach the policy to a user or user group.

Create a new policy

You can create a new IAM policy for FSx for ONTAP.

Steps
  1. From the AWS IAM console, Click Create Policy.

  2. Using the JSON editor, paste the following policy:

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "VisualEditor0",
                "Effect": "Allow",
                "Action": [
                    "fsx:*",
                    "ec2:Describe*",
                    "ec2:CreateTags",
                    "kms:Describe*",
                    "kms:List*",
                    "iam:CreateServiceLinkedRole"
                ],
                "Resource": "*"
            }
        ]
    }
  3. Open the Visual Editor tab to confirm the correct configuration. Click Next: Tags.

    Screenshot of FSx policy confirmation in console Visual Editor

  4. Optionally, add any tags to help you organize your policies. Click Next: Review.

  5. Confirm your policy configuration and click Create Policy.

  6. Type a name and description for your policy and click Create Policy.

For more details on creating an IAM policy, see AWS Documentation: Creating IAM Policies.

Edit an existing policy

If you have an existing IAM policy, you can edit it to add permissions for FSx for ONTAP.

Steps
  1. From the AWS IAM console, select the policy you want to edit.

    Screenshot of selecting a policy to edit from AWS console

  2. Edit the policy to include the following actions for FSx for ONTAP:

                "Action": [
                    "fsx:*",
                    "ec2:Describe*",
                    "ec2:CreateTags",
                    "kms:Describe*",
                    "kms:List*",
                    "iam:CreateServiceLinkedRole"

Attach the policy

After creating or editing a policy to enable FSx for ONTAP, attach it to an IAM user group or directly to a specific IAM user.

For detailed instructions on creating and managing AWS users and groups, see: