Set up AWS IAM roles for Cloud Volumes ONTAP nodes
AWS Identity and Access management (IAM) roles with the required permissions must be attached to each Cloud Volumes ONTAP node. The same is true for the HA mediator. It's easiest to let the NetApp Console create the IAM roles for you, but you can use your own roles.
This task is optional. When you create a Cloud Volumes ONTAP system, the default option is to let the Console create the IAM roles for you. If your business's security policies require you to create the IAM roles yourself, then follow the steps below.
|
Providing your own IAM role is required in AWS Secret Cloud. Learn how to deploy Cloud Volumes ONTAP in C2S. |
-
Go to the AWS IAM console.
-
Create IAM policies that include the following permissions:
-
Base policy for Cloud Volumes ONTAP nodes
Standard regions{ "Version": "2012-10-17", "Statement": [{ "Action": "s3:ListAllMyBuckets", "Resource": "arn:aws:s3:::*", "Effect": "Allow" }, { "Action": [ "s3:ListBucket", "s3:GetBucketLocation" ], "Resource": "arn:aws:s3:::fabric-pool-*", "Effect": "Allow" }, { "Action": [ "s3:GetObject", "s3:PutObject", "s3:DeleteObject" ], "Resource": "arn:aws:s3:::fabric-pool-*", "Effect": "Allow" } ] }
GovCloud (US) regions{ "Version": "2012-10-17", "Statement": [{ "Action": "s3:ListAllMyBuckets", "Resource": "arn:aws-us-gov:s3:::*", "Effect": "Allow" }, { "Action": [ "s3:ListBucket", "s3:GetBucketLocation" ], "Resource": "arn:aws-us-gov:s3:::fabric-pool-*", "Effect": "Allow" }, { "Action": [ "s3:GetObject", "s3:PutObject", "s3:DeleteObject" ], "Resource": "arn:aws-us-gov:s3:::fabric-pool-*", "Effect": "Allow" }] }
Top Secret regions{ "Version": "2012-10-17", "Statement": [{ "Action": "s3:ListAllMyBuckets", "Resource": "arn:aws-iso:s3:::*", "Effect": "Allow" }, { "Action": [ "s3:ListBucket", "s3:GetBucketLocation" ], "Resource": "arn:aws-iso:s3:::fabric-pool-*", "Effect": "Allow" }, { "Action": [ "s3:GetObject", "s3:PutObject", "s3:DeleteObject" ], "Resource": "arn:aws-iso:s3:::fabric-pool-*", "Effect": "Allow" }] }
Secret regions{ "Version": "2012-10-17", "Statement": [{ "Action": "s3:ListAllMyBuckets", "Resource": "arn:aws-iso-b:s3:::*", "Effect": "Allow" }, { "Action": [ "s3:ListBucket", "s3:GetBucketLocation" ], "Resource": "arn:aws-iso-b:s3:::fabric-pool-*", "Effect": "Allow" }, { "Action": [ "s3:GetObject", "s3:PutObject", "s3:DeleteObject" ], "Resource": "arn:aws-iso-b:s3:::fabric-pool-*", "Effect": "Allow" }] }
-
Backup policy for Cloud Volumes ONTAP nodes
If you plan to use NetApp Backup and Recovery with your Cloud Volumes ONTAP systems, the IAM role for the nodes must include the second policy shown below.
Standard regions{ "Version": "2012-10-17", "Statement": [ { "Action": [ "s3:ListBucket", "s3:GetBucketLocation" ], "Resource": "arn:aws:s3:::netapp-backup*", "Effect": "Allow" }, { "Action": [ "s3:GetObject", "s3:PutObject", "s3:DeleteObject", "s3:ListAllMyBuckets", "s3:PutObjectTagging", "s3:GetObjectTagging", "s3:RestoreObject", "s3:GetBucketObjectLockConfiguration", "s3:GetObjectRetention", "s3:PutBucketObjectLockConfiguration", "s3:PutObjectRetention" ], "Resource": "arn:aws:s3:::netapp-backup*/*", "Effect": "Allow" } ] }
GovCloud (US) regions{ "Version": "2012-10-17", "Statement": [ { "Action": [ "s3:ListBucket", "s3:GetBucketLocation" ], "Resource": "arn:aws-us-gov:s3:::netapp-backup*", "Effect": "Allow" }, { "Action": [ "s3:GetObject", "s3:PutObject", "s3:DeleteObject", "s3:ListAllMyBuckets", "s3:PutObjectTagging", "s3:GetObjectTagging", "s3:RestoreObject", "s3:GetBucketObjectLockConfiguration", "s3:GetObjectRetention", "s3:PutBucketObjectLockConfiguration", "s3:PutObjectRetention" ], "Resource": "arn:aws-us-gov:s3:::netapp-backup*/*", "Effect": "Allow" } ] }
Top Secret regions{ "Version": "2012-10-17", "Statement": [ { "Action": [ "s3:ListBucket", "s3:GetBucketLocation" ], "Resource": "arn:aws-iso:s3:::netapp-backup*", "Effect": "Allow" }, { "Action": [ "s3:GetObject", "s3:PutObject", "s3:DeleteObject", "s3:ListAllMyBuckets", "s3:PutObjectTagging", "s3:GetObjectTagging", "s3:RestoreObject", "s3:GetBucketObjectLockConfiguration", "s3:GetObjectRetention", "s3:PutBucketObjectLockConfiguration", "s3:PutObjectRetention" ], "Resource": "arn:aws-iso:s3:::netapp-backup*/*", "Effect": "Allow" } ] }
Secret regions{ "Version": "2012-10-17", "Statement": [ { "Action": [ "s3:ListBucket", "s3:GetBucketLocation" ], "Resource": "arn:aws-iso-b:s3:::netapp-backup*", "Effect": "Allow" }, { "Action": [ "s3:GetObject", "s3:PutObject", "s3:DeleteObject", "s3:ListAllMyBuckets", "s3:PutObjectTagging", "s3:GetObjectTagging", "s3:RestoreObject", "s3:GetBucketObjectLockConfiguration", "s3:GetObjectRetention", "s3:PutBucketObjectLockConfiguration", "s3:PutObjectRetention" ], "Resource": "arn:aws-iso-b:s3:::netapp-backup*/*", "Effect": "Allow" } ] }
-
HA mediator
{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": [ "ec2:AssignPrivateIpAddresses", "ec2:CreateRoute", "ec2:DeleteRoute", "ec2:DescribeNetworkInterfaces", "ec2:DescribeRouteTables", "ec2:DescribeVpcs", "ec2:ReplaceRoute", "ec2:UnassignPrivateIpAddresses", "sts:AssumeRole", "ec2:DescribeSubnets" ], "Resource": "*" } ] }
-
-
Create an IAM role and attach the policies that you created to the role.
You now have IAM roles that you can select when you create a new Cloud Volumes ONTAP system.