How Cloud Manager uses cloud provider permissions
Cloud Manager requires permissions to perform actions in your cloud provider. These permissions are included in the policies provided by NetApp. You might want to understand what Cloud Manager does with these permissions.
What Cloud Manager does with AWS permissions
Cloud Manager uses an AWS account to make API calls to several AWS services, including EC2, S3, CloudFormation, IAM, the Security Token Service (STS), and the Key Management Service (KMS).
Actions | Purpose |
---|---|
"ec2:StartInstances", |
Launches a Cloud Volumes ONTAP instance and stops, starts, and monitors the instance. |
"ec2:DescribeInstanceAttribute", |
Verifies that enhanced networking is enabled for supported instance types. |
"ec2:DescribeRouteTables", |
Launches a Cloud Volumes ONTAP HA configuration. |
"ec2:CreateTags", |
Tags every resource that Cloud Manager creates with the "WorkingEnvironment" and "WorkingEnvironmentId" tags. Cloud Manager uses these tags for maintenance and cost allocation. |
"ec2:CreateVolume", |
Manages the EBS volumes that Cloud Volumes ONTAP uses as back-end storage. |
"ec2:CreateSecurityGroup", |
Creates predefined security groups for Cloud Volumes ONTAP. |
"ec2:CreateNetworkInterface", |
Creates and manages network interfaces for Cloud Volumes ONTAP in the target subnet. |
"ec2:DescribeSubnets", |
Gets the list of destination subnets and security groups, which is needed when creating a new working environment for Cloud Volumes ONTAP. |
"ec2:DescribeDhcpOptions", |
Determines DNS servers and the default domain name when launching Cloud Volumes ONTAP instances. |
"ec2:CreateSnapshot", |
Takes snapshots of EBS volumes during initial setup and whenever a Cloud Volumes ONTAP instance is stopped. |
"ec2:GetConsoleOutput", |
Captures the Cloud Volumes ONTAP console, which is attached to AutoSupport messages. |
"ec2:DescribeKeyPairs", |
Obtains the list of available key pairs when launching instances. |
"ec2:DescribeRegions", |
Gets a list of available AWS regions. |
"ec2:DeleteTags", |
Manages tags for resources associated with Cloud Volumes ONTAP instances. |
"cloudformation:CreateStack", |
Launches Cloud Volumes ONTAP instances. |
"iam:PassRole", |
Launches a Cloud Volumes ONTAP HA configuration. |
"iam:ListInstanceProfiles", |
Manages instance profiles for Cloud Volumes ONTAP instances. |
"s3:GetBucketTagging", |
Obtains information about AWS S3 buckets so Cloud Manager can integrate with the NetApp Data Fabric Cloud Sync service. |
"s3:CreateBucket", |
Manages the S3 bucket that a Cloud Volumes ONTAP system uses as a capacity tier for data tiering. |
"kms:List*", |
Enables data encryption of Cloud Volumes ONTAP using the AWS Key Management Service (KMS). |
"ce:GetReservationUtilization", |
Obtains AWS cost data for Cloud Volumes ONTAP. |
"ec2:CreatePlacementGroup", |
When you deploy an HA configuration in a single AWS Availability Zone, Cloud Manager launches the two HA nodes and the mediator in an AWS spread placement group. |
"ec2:DescribeReservedInstancesOfferings" |
Cloud Manager uses the permission as part of Cloud Compliance deployment to choose which instance type to use. |
"s3:DeleteBucket", |
Cloud Manager uses these permissions when you enable the Backup to S3 service. |
What Cloud Manager does with Azure permissions
The Cloud Manager Azure policy includes the permissions that Cloud Manager needs to deploy and manage Cloud Volumes ONTAP in Azure.
Actions | Purpose |
---|---|
"Microsoft.Compute/locations/operations/read", |
Creates Cloud Volumes ONTAP and stops, starts, deletes, and obtains the status of the system. |
"Microsoft.Compute/images/write", |
Enables Cloud Volumes ONTAP deployment from a VHD. |
"Microsoft.Compute/disks/delete", |
Manages Azure storage accounts and disks, and attaches the disks to Cloud Volumes ONTAP. |
"Microsoft.Network/networkInterfaces/read", |
Creates and manages network interfaces for Cloud Volumes ONTAP in the target subnet. |
"Microsoft.Network/networkSecurityGroups/read", |
Creates predefined network security groups for Cloud Volumes ONTAP. |
"Microsoft.Resources/subscriptions/locations/read", |
Gets network information about regions, the target VNet and subnet, and adds Cloud Volumes ONTAP to VNets. |
"Microsoft.Network/virtualNetworks/subnets/write", |
Enables VNet service endpoints for data tiering. |
"Microsoft.Resources/deployments/operations/read", |
Deploys Cloud Volumes ONTAP from a template. |
"Microsoft.Resources/deployments/operations/read", |
Creates and manages resource groups for Cloud Volumes ONTAP. |
"Microsoft.Compute/snapshots/write", |
Creates and manages Azure managed snapshots. |
"Microsoft.Compute/availabilitySets/write", |
Creates and manages availability sets for Cloud Volumes ONTAP. |
"Microsoft.MarketplaceOrdering/offertypes/publishers/offers/plans/agreements/read", |
Enables programmatic deployments from the Azure Marketplace. |
"Microsoft.Network/loadBalancers/read", |
Manages an Azure load balancer for HA pairs. |
"Microsoft.Authorization/locks/*" |
Enables management of locks on Azure disks. |
"Microsoft.Authorization/roleDefinitions/write", |
Manages failover for HA pairs. |
"Microsoft.Network/privateEndpoints/write", |
Enables the management of private endpoints. Private endpoints are used when connectivity isn't provided to outside the subnet. Cloud Manager creates the storage account for HA with only internal connectivity within the subnet. |
"Microsoft.NetApp/netAppAccounts/capacityPools/volumes/delete", |
Enables Cloud Manager to delete volumes for Azure NetApp Files. |
"Microsoft.Resources/deployments/operationStatuses/read" |
Azure requires this permission for some virtual machine deployments (it depends on the underlying physical hardware that's used during deployment). |
"Microsoft.Resources/deployments/operationStatuses/read", |
Enables you to use Global File Cache. |
"Microsoft.Compute/diskEncryptionSets/read" |
Enables Cloud Manager to encrypt Azure managed disks on single node Cloud Volumes ONTAP systems using external keys from another account. This feature is supported using APIs. |
What Cloud Manager does with GCP permissions
The Cloud Manager policy for GCP includes the permissions that Cloud Manager needs to deploy and manage Cloud Volumes ONTAP.
Actions | Purpose |
---|---|
- compute.disks.create |
To create and manage disks for Cloud Volumes ONTAP. |
- compute.firewalls.create |
To create firewall rules for Cloud Volumes ONTAP. |
- compute.globalOperations.get |
To get the status of operations. |
- compute.images.get |
To get images for VM instances. |
- compute.instances.attachDisk |
To attach and detach disks to Cloud Volumes ONTAP. |
- compute.instances.create |
To create and delete Cloud Volumes ONTAP VM instances. |
- compute.instances.get |
To list VM instances. |
- compute.instances.getSerialPortOutput |
To get console logs. |
- compute.instances.list |
To retrieve the list of instances in a zone. |
- compute.instances.setDeletionProtection |
To set deletion protection on the instance. |
- compute.instances.setLabels |
To add labels. |
- compute.instances.setMachineType |
To change the machine type for Cloud Volumes ONTAP. |
- compute.instances.setMetadata |
To add metadata. |
- compute.instances.setTags |
To add tags for firewall rules. |
- compute.instances.start |
To start and stop Cloud Volumes ONTAP. |
- compute.machineTypes.get |
To get the numbers of cores to check qoutas. |
- compute.projects.get |
To support multi-projects. |
- compute.snapshots.create |
To create and manage persistent disk snapshots. |
- compute.networks.get |
To get the networking information needed to create a new Cloud Volumes ONTAP virtual machine instance. |
- deploymentmanager.compositeTypes.get |
To deploy the Cloud Volumes ONTAP virtual machine instance using Google Cloud Deployment Manager. |
- logging.logEntries.list |
To get stack log drives. |
- resourcemanager.projects.get |
To support multi-projects. |
- storage.buckets.create |
To create and manage a Google Cloud Storage bucket for data tiering. |
- cloudkms.cryptoKeyVersions.useToEncrypt |
To use customer-managed encryption keys from the Cloud Key Management Service with Cloud Volumes ONTAP. |
- compute.instances.setServiceAccount |
To set a service account on the Cloud Volumes ONTAP instance. This service account provides permissions for data tiering to a Google Cloud Storage bucket. |