Add AWS credentials to Workload Factory
Add and manage AWS credentials so that Workload Factory has the permissions that it needs to deploy and manage cloud resources in your AWS accounts.
Overview
Workload Factory will operate in basic mode unless you add AWS account credentials. You can add credentials to enable other operation modes, such as Read mode and Automate mode. Learn more about operational modes.
You can add AWS credentials to an existing Workload Factory account from the Credentials page. This provides Workload Factory with the permissions needed to manage resources and processes within your AWS cloud environment.
You can add credentials using two methods:
-
Manually: You create the IAM policy and the IAM role in your AWS account while adding credentials in Workload Factory.
-
Automatically: You capture a minimal amount of information about permissions and then use a CloudFormation stack to create the IAM policies and role for your credentials.
Add credentials to an account manually
You can add AWS credentials to Workload Factory manually to give your Workload Factory account the permissions needed to manage the AWS resources that you'll use to run your unique workloads. Each set of credentials that you add will include one or more IAM policies based on the workload capabilities you want to use, and an IAM role that is assigned to your account.
There are three parts to creating the credentials:
-
Select the services and permissions level that you would like to use and then create IAM policies from the AWS Management Console.
-
Create an IAM role from the AWS Management Console.
-
From Workload Factory, enter a name and add the credentials.
You'll need to have credentials to log in to your AWS account.
-
In the Workload Factory console, select the Account icon, and select Credentials.
-
On the Credentials page, select Add credentials and the Add credentials page is displayed.
-
Select Add manually and then follow the steps below to fill out the three sections under Permissions configuration.
Step 1: Select the workload capabilities and create the IAM policies
In this section you'll choose which types of workload capabilities will be manageable as part of these credentials, and the permissions enabled for each workload. You'll need to copy the policy permissions for each selected workload from the Codebox and add them into the AWS Management Console within your AWS account to create the policies.
-
From the Create policies section, enable each of the workload capabilities that you want to include in these credentials.
You can add additional capabilities later, so just select the workloads that you currently want to deploy and manage.
-
For those workload capabilities that offer a choice of permission levels (operate, view, and so on), select the type of permissions that will be available with these credentials.
-
In the Codebox window, copy the permissions for the first IAM policy.
-
Open another browser window and log in to your AWS account in the AWS Management Console.
-
Open the IAM service, and then select Policies > Create Policy.
-
Select JSON as the file type, paste the permissions you copied in step 3, and select Next.
-
Enter the name for the policy and select Create Policy.
-
If you've selected multiple workload capabilities in step 1, repeat these steps to create a policy for each set of workload permissions.
Step 2: Create the IAM role that uses the policies
In this section you'll set up an IAM role that Workload Factory will assume that includes the permissions and policies that you just created.
-
In the AWS Management Console, select Roles > Create Role.
-
Under Trusted entity type, select AWS account.
-
Select Another AWS account and copy and paste the account ID for FSx for ONTAP workload management from the Workload Factory UI.
-
Select Required external ID and copy and paste the external ID from the Workload Factory UI.
-
-
Select Next.
-
In the Permissions policy section, choose all the policies that you defined previously and select Next.
-
Enter a name for the role and select Create role.
-
Copy the Role ARN.
-
Return to Workload Factory, expand the Create role section, and paste the ARN in the Role ARN field.
Step 3: Enter a name and add the credentials
The final step is to enter a name for the credentials in Workload Factory.
-
From Workload Factory, expand Credentials name.
-
Enter the name that you want to use for these credentials.
-
Select Add to create the credentials.
The credentials are created and you are returned to the Credentials page.
Add credentials to an account using CloudFormation
You can add AWS credentials to Workload Factory using an AWS CloudFormation stack by selecting the Workload Factory capabilities that you want to use, and then launching the AWS CloudFormation stack in your AWS account. CloudFormation will create the IAM policies and IAM role based on the workload capabilities you selected.
-
You'll need to have credentials to log in to your AWS account.
-
You'll need to have the following permissions in your AWS account when adding credentials using a CloudFormation stack:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "cloudformation:CreateStack", "cloudformation:UpdateStack", "cloudformation:DeleteStack", "cloudformation:DescribeStacks", "cloudformation:DescribeStackEvents", "cloudformation:DescribeChangeSet", "cloudformation:ExecuteChangeSet", "cloudformation:ListStacks", "cloudformation:ListStackResources", "cloudformation:GetTemplate", "cloudformation:ValidateTemplate", "lambda:InvokeFunction", "iam:PassRole", "iam:CreateRole", "iam:UpdateAssumeRolePolicy", "iam:AttachRolePolicy", "iam:CreateServiceLinkedRole" ], "Resource": "*" } ] }
-
In the Workload Factory console, select the Account icon, and select Credentials.
-
On the Credentials page, select Add credentials.
-
Select Add via AWS CloudFormation.
-
Under Create policies, enable each of the workload capabilities that you want to include in these credentials and choose a permission level for each workload.
You can add additional capabilities later, so just select the workloads that you currently want to deploy and manage.
-
Under Credentials name, enter the name that you want to use for these credentials.
-
Add the credentials from AWS CloudFormation:
-
Select Add (or select Redirect to CloudFormation) and the Redirect to CloudFormation page is displayed.
-
If you use single sign-on (SSO) with AWS, open a separate browser tab and log in to the AWS Console before you select Continue.
You should log in to the AWS account where the FSx for ONTAP file system resides.
-
Select Continue from the Redirect to CloudFormation page.
-
On the Quick create stack page, under Capabilities, select I acknowledge that AWS CloudFormation might create IAM resources.
-
Select Create stack.
-
Return to Workload Factory and monitor to Credentials page to verify that the new credentials are in progress, or that they have been added.
-