Learn about operational modes and AWS credentials
Workload Factory provides three operational modes that enable you to carefully control access between Workload Factory and your cloud estate based on your IT policies. The operational mode that you use is determined by the level of AWS permissions that you provide to Workload Factory.
Operational modes
Operational modes provide a logical organization of the functionality and capabilities delivered by Workload Factory, as correlated to the trust level that you assign. The main objective in operational modes is to clearly communicate which tasks Workload Factory can or cannot perform within your AWS account.
- Basic mode
-
Represents a zero-trust relationship where no AWS permissions are assigned to Workload Factory. It is designed for early exploration of Workload Factory and usage of the various wizards to create the needed Infrastructure as Code (IaC). You can copy the code and use it in AWS by entering your AWS credentials manually.
- Read mode
-
Enhances the experience of basic mode by adding read-only permissions so that the IaC templates are filled with your specific variables (for example, VPC, security groups, etc.). This enables you to execute the IaC directly from your AWS account without providing any modify permissions to Workload Factory.
- Automate mode
-
Represents a full trust relationship so that Workload Factory gets assigned with full permissions. This allows Workload Factory to execute and automate operations in AWS on your behalf along with the assigned credentials that have the needed permissions for execution.
Operational mode features
The features available using each of the modes grows with each mode.
Mode | Automation from Workload Factory | Automation within AWS using IaC | AWS resource discovery and auto-complete | Progress monitoring |
---|---|---|---|---|
Basic |
No |
Minimally complete IaC template |
No |
No |
Read |
No |
Moderately complete IaC template |
Yes |
Yes |
Automate |
Full automation |
Complete IaC template with full automation |
Yes |
Yes |
Operational mode requirements
There is no selector that you need to set in Workload Factory to identify which mode you are planning to use. The mode is determined based on the AWS credentials and permissions that you assign to your Workload Factory account.
Mode | AWS account credentials | Link |
---|---|---|
Basic |
Not required |
Not required |
Read |
Read-only |
Not required |
Automate |
Read-write credentials |
Required |
Operational mode examples
You can set up your credentials to provide one mode for one workload component and another mode for another component. For example, you can configure automate mode for operations where you are deploying and managing FSx for ONTAP file systems, but only configure read mode for creating and deploying database workloads using Workload Factory.
You can provide these capabilities within a single set of credentials in a Workload Factory account, or you can create multiple sets of credentials when each credential provides unique workload deployment capabilities.
Example 1
Account users who use the credentials that have been given the following permissions will have full control (automate mode) for creating FSx for ONTAP file systems, deploying databases, and viewing other types of AWS storage used in the account.
However, they will have no automation controls for creating and deploying VMware workloads (basic mode) from Workload Factory. If they want to create VMware workloads, they'll need to copy the code from the Codebox, log in to their AWS account manually, and manually populate missing entries in the generated code to use this functionality.
Example 2
Here the user has created two sets of credentials to allow different operational capabilities depending on which set of credentials has been selected. Typically, each set of credentials is paired to a different AWS account.
The first set of credentials includes permissions that give users full control for creating FSx for ONTAP file systems (and the ability to view other types of AWS storage used in the account), but only read permissions when working with VMware workloads.
The second set of credentials only provides permissions that give users full control for creating FSx for ONTAP file systems, and viewing other types of AWS storage used in the account.
AWS credentials
We have designed an AWS assume role credentials registration flow that:
-
Supports more aligned AWS account permissions by allowing you to specify the workload capabilities that you want to use and providing IAM policy requirements according to those selections.
-
Allows you to adjust the granted AWS account permissions as you opt-in or opt-out of specific workload capabilities.
-
Simplifies manual IAM policy creation by providing tailored JSON policy files that you can apply in the AWS console.
-
Further simplifies the credentials registration process by offering users with an automated option for required IAM policy and role creation using AWS CloudFormation stacks.
-
Aligns better with FSx for ONTAP users who strongly prefer to have their credentials stored within the boundaries of the AWS cloud ecosystem by allowing storage of the FSx for ONTAP services credentials in an AWS-based secret management backend.
One or more AWS credentials
When you use your first Workload Factory capability (or capabilities), you'll need to create the credentials using the permissions required for those workload capabilities. You'll add the credentials to Workload Factory, but you'll need to access the AWS Management Console to create the IAM role and policy. These credentials will be available within your account when using any capability in Workload Factory.
Your initial set of AWS credentials can include an IAM policy for one capability or for many capabilities. It just depends on your business requirements.
Adding more than one set of AWS credentials to Workload Factory provides additional permissions needed to use additional capabilities, such as FSx for ONTAP file systems, deploy databases on FSx for ONTAP, migrate VMware workloads, and more.