Skip to main content

Permissions for BlueXP workload factory

Contributors netapp-rlithman netapp-mwallis
PDFs

To use BlueXP workload factory features and services, you'll need to provide permissions so that workload factory can perform operations in your cloud environment.

Why use permissions

When you provide read or automate mode permissions, workload factory attaches a policy to the instance with permissions to manage resources and processes within that AWS account. This allows workload factory to execute various operations starting from discovery of your storage environments to deploying AWS resources such as file systems in storage management or knowledge bases for GenAI workloads.

For database workloads for example, when workload factory is granted with the required permissions, it scans all EC2 instances in a given account and region, and filters all Windows-based machines. If AWS Systems Manager (SSM) Agent is installed and running on the host and System Manager networking is configured properly, workload factory can access the Windows machine and verify whether SQL Server software is installed or not.

Permissions by workload

Each workload uses permissions to perform certain tasks in workload factory. Scroll to the workload you use to view the list of permissions, their purpose, where they are used, and which modes support them.

Permissions for Storage

The IAM policies available for Storage provide the permissions that workload factory needs to manage resources and processes within your public cloud environment based on the operational mode you operate in.

Select your operational mode to view the required IAM policies:

IAM policies for Storage
Read mode
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "fsx:Describe*",
        "fsx:ListTagsForResource",
        "ec2:Describe*",
        "kms:Describe*",
        "elasticfilesystem:Describe*",
        "kms:List*",
        "cloudwatch:GetMetricData",
        "cloudwatch:GetMetricStatistics"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "iam:SimulatePrincipalPolicy"
      ],
      "Resource": "*"
    }
  ]
}
JSON
Copy

The following table displays the permissions for Storage.

Table of permissions for Storage
Purpose Action Where used Mode

Create an FSx for ONTAP file system

fsx:CreateFileSystem*

Deployment

Automate

Create a security group for an FSx for ONTAP file system

ec2:CreateSecurityGroup

Deployment

Automate

Add tags to a security group for an FSx for ONTAP file system

ec2:CreateTags

Deployment

Automate

Authorize security group egress and ingress for an FSx for ONTAP file system

ec2:AuthorizeSecurityGroupEgress

Deployment

Automate

ec2:AuthorizeSecurityGroupIngress

Deployment

Automate

Granted role provides communication between FSx for ONTAP and other AWS services

iam:CreateServiceLinkedRole

Deployment

Automate

Get details to fill in the FSx for ONTAP file system deployment form

ec2:DescribeVpcs

  • Deployment

  • Explore savings

  • Read

  • Automate

ec2:DescribeSubnets

  • Deployment

  • Explore savings

  • Read

  • Automate

ec2:DescribeRegions

  • Deployment

  • Explore savings

  • Read

  • Automate

ec2:DescribeSecurityGroups

  • Deployment

  • Explore savings

  • Read

  • Automate

ec2:DescribeRouteTables

  • Deployment

  • Explore savings

  • Read

  • Automate

ec2:DescribeNetworkInterfaces

  • Deployment

  • Explore savings

  • Read

  • Automate

ec2:DescribeVolumeStatus

  • Deployment

  • Explore savings

  • Read

  • Automate

Get KMS key details and use for FSx for ONTAP encryption

kms:CreateGrant

Deployment

Automate

kms:Describe*

Deployment

  • Read

  • Automate

kms:List*

Deployment

  • Read

  • Automate

Get volume details for EC2 instances

ec2:DescribeVolumes

  • Inventory

  • Explore savings

  • Read

  • Automate

Get details for EC2 instances

ec2:DescribeInstances

Explore savings

  • Read

  • Automate

Describe Elastic File System in the savings calculator

elasticfilesystem:Describe*

Explore savings

Read

List tags for FSx for ONTAP resources

fsx:ListTagsForResource

Inventory

  • Read

  • Automate

Manage security group egress and ingress for an FSx for ONTAP file system

ec2:RevokeSecurityGroupIngress

Management operations

Automate

ec2:DeleteSecurityGroup

Management operations

Automate

Create, view, and manage FSx for ONTAP file system resources

fsx:CreateVolume*

Management operations

Automate

fsx:TagResource*

Management operations

Automate

fsx:CreateStorageVirtualMachine*

Management operations

Automate

fsx:DeleteFileSystem*

Management operations

Automate

fsx:DeleteStorageVirtualMachine*

Management operations

Automate

fsx:DescribeFileSystems*

Inventory

  • Read

  • Automate

fsx:DescribeStorageVirtualMachines*

Inventory

  • Read

  • Automate

fsx:UpdateFileSystem*

Management operations

Automate

fsx:UpdateStorageVirtualMachine*

Management operations

Automate

fsx:DescribeVolumes*

Inventory

  • Read

  • Automate

fsx:UpdateVolume*

Management operations

Automate

fsx:DeleteVolume*

Management operations

Automate

fsx:UntagResource*

Management operations

Automate

fsx:DescribeBackups*

Management operations

  • Read

  • Automate

fsx:CreateBackup*

Management operations

Automate

fsx:CreateVolumeFromBackup*

Management operations

Automate

Report CloudWatch metrics

cloudwatch:PutMetricData

Management operations

Automate

Get file system and volume metrics

cloudwatch:GetMetricData

Management operations

  • Read

  • Automate

cloudwatch:GetMetricStatistics

Management operations

  • Read

  • Automate

Permissions for Databases workloads

The IAM policies available for Databases workloads provide the permissions that workload factory needs to manage resources and processes within your public cloud environment based on the operational mode you operate in.

Select your operational mode to view the required IAM policies:

IAM policies for Databases workloads
Read mode
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "CommonGroup",
      "Effect": "Allow",
      "Action": [
        "cloudwatch:GetMetricStatistics",
        "sns:ListTopics",
        "ec2:DescribeInstances",
        "ec2:DescribeVpcs",
        "ec2:DescribeSubnets",
        "ec2:DescribeSecurityGroups",
        "ec2:DescribeImages",
        "ec2:DescribeRegions",
        "ec2:DescribeRouteTables",
        "ec2:DescribeKeyPairs",
        "ec2:DescribeNetworkInterfaces",
        "ec2:DescribeInstanceTypes",
        "ec2:DescribeVpcEndpoints",
        "ec2:DescribeInstanceTypeOfferings",
        "ec2:DescribeSnapshots",
        "ec2:DescribeVolumes",
        "ec2:DescribeAddresses",
        "kms:ListAliases",
        "kms:ListKeys",
        "kms:DescribeKey",
        "cloudformation:ListStacks",
        "cloudformation:DescribeAccountLimits",
        "ds:DescribeDirectories",
        "fsx:DescribeVolumes",
        "fsx:DescribeBackups",
        "fsx:DescribeStorageVirtualMachines",
        "fsx:DescribeFileSystems",
        "servicequotas:ListServiceQuotas",
        "ssm:GetParametersByPath",
        "ssm:GetCommandInvocation",
        "ssm:SendCommand",
        "ssm:GetConnectionStatus",
        "ssm:DescribePatchBaselines",
        "ssm:DescribeInstancePatchStates",
        "ssm:ListCommands",
        "ssm:DescribeInstanceInformation",
        "fsx:ListTagsForResource"
      ],
      "Resource": [
        "*"
      ]
    },
    {
      "Sid": "SSMParameterStore",
      "Effect": "Allow",
      "Action": [
        "ssm:GetParameter",
        "ssm:GetParameters",
        "ssm:PutParameter",
        "ssm:DeleteParameters"
      ],
      "Resource": "arn:aws:ssm:*:*:parameter/netapp/wlmdb/*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "iam:SimulatePrincipalPolicy"
      ],
      "Resource": "*"
    }
  ]
}
JSON
Copy

The following table displays the permissions for database workloads.

Table of permissions for database workloads
Purpose Action Where used Mode

Get metric statistics for FSx for ONTAP, EBS, and FSx for Windows File Server

cloudwatch:GetMetricStatistics

  • Inventory

  • Explore savings

  • Read

  • Automate

List and set triggers for events

sns:ListTopics

Deployment

  • Read

  • Automate

Get details for EC2 instances

ec2:DescribeInstances

  • Inventory

  • Explore savings

  • Read

  • Automate

ec2:DescribeKeyPairs

Deployment

  • Read

  • Automate

ec2:DescribeNetworkInterfaces

Deployment

  • Read

  • Automate

ec2:DescribeInstanceTypes

  • Deployment

  • Explore savings

  • Read

  • Automate

Get details to fill in the FSx for ONTAP deployment form

ec2:DescribeVpcs

  • Deployment

  • Inventory

  • Read

  • Automate

ec2:DescribeSubnets

  • Deployment

  • Inventory

  • Read

  • Automate

ec2:DescribeSecurityGroups

Deployment

  • Read

  • Automate

ec2:DescribeImages

Deployment

  • Read

  • Automate

ec2:DescribeRegions

Deployment

  • Read

  • Automate

ec2:DescribeRouteTables

  • Deployment

  • Inventory

  • Read

  • Automate

Get any existing VPC endpoints to determine if new endpoints need to be created before deployments

ec2:DescribeVpcEndpoints

  • Deployment

  • Inventory

  • Read

  • Automate

Create VPC endpoints if they don't exist for required services irrespective of public network connectivity on EC2 instances

ec2:CreateVpcEndpoint

Deployment

Automate

Get instance types available in region for validation nodes (t2.micro/t3.micro)

ec2:DescribeInstanceTypeOfferings

Deployment

  • Read

  • Automate

Get snapshot details of each attached EBS volumes for pricing and savings estimate

ec2:DescribeSnapshots

Explore savings

  • Read

  • Automate

Get details of each attached EBS volumes for pricing and savings estimate

ec2:DescribeVolumes

  • Inventory

  • Explore savings

  • Read

  • Automate

Get KMS key details for FSx for ONTAP file system encryption

kms:ListAliases

Deployment

  • Read

  • Automate

kms:ListKeys

Deployment

  • Read

  • Automate

kms:DescribeKey

Deployment

  • Read

  • Automate

Get list of CloudFormation stacks running in the environment to check quota limit

cloudformation:ListStacks

Deployment

  • Read

  • Automate

Check account limits for resources before triggering deployment

cloudformation:DescribeAccountLimits

Deployment

  • Read

  • Automate

Get list of AWS-managed Active Directories in the region

ds:DescribeDirectories

Deployment

  • Read

  • Automate

Get lists and details of volumes, backups, SVMs, file systems in AZs, and tags for FSx for ONTAP file system

fsx:DescribeVolumes

  • Inventory

  • Explore Savings

  • Read

  • Automate

fsx:DescribeBackups

  • Inventory

  • Explore Savings

  • Read

  • Automate

fsx:DescribeStorageVirtualMachines

  • Deployment

  • Manage operations

  • Inventory

  • Read

  • Automate

fsx:DescribeFileSystems

  • Deployment

  • Manage operations

  • Inventory

  • Explore savings

  • Read

  • Automate

fsx:ListTagsForResource

Manage operations

  • Read

  • Automate

Get service quota limits for CloudFormation and VPC

servicequotas:ListServiceQuotas

Deployment

  • Read

  • Automate

Use SSM-based query to get the updated list of FSx for ONTAP supported regions

ssm:GetParametersByPath

Deployment

  • Read

  • Automate

Poll for SSM response after sending command for manage operations post deployment

ssm:GetCommandInvocation

  • Manage operations

  • Inventory

  • Explore savings

  • Optimization

  • Read

  • Automate

Send commands over SSM to EC2 instances

ssm:SendCommand

  • Manage operations

  • Inventory

  • Explore savings

  • Optimization

  • Read

  • Automate

Get the SSM connectivity status on instances post deployment

ssm:GetConnectionStatus

  • Manage operations

  • Inventory

  • Optimization

  • Read

  • Automate

Fetch SSM association status for a group of managed EC2 instances (SQL nodes)

ssm:DescribeInstanceInformation

Inventory

Read

Get the list of available patch baselines for operating system patch assessment

ssm:DescribePatchBaselines

Optimization

  • Read

  • Automate

Get the patching state on Windows EC2 instances for operating system patch assessment

ssm:DescribeInstancePatchStates

Optimization

  • Read

  • Automate

List commands executed by AWS Patch Manager on EC2 instances for operating system patch management

ssm:ListCommands

Optimization

  • Read

  • Automate

Check if account is enrolled in AWS Compute Optimizer

compute-optimizer:GetEnrollmentStatus

  • Explore savings

  • Optimization

Automate

Update an existing recommendation preference in AWS Compute Optimizer to tailor suggestions for SQL server workloads

compute-optimizer:PutRecommendationPreferences

  • Explore savings

  • Optimization

Automate

Get recommendation preferences that are in effect for a given resource from AWS Compute Optimizer

compute-optimizer:GetEffectiveRecommendationPreferences

  • Explore savings

  • Optimization

Automate

Fetch recommendations that AWS Compute Optimizer generates for Amazon Elastic Compute Cloud (Amazon EC2) instances

compute-optimizer:GetEC2InstanceRecommendations

  • Explore savings

  • Optimization

Automate

Check for instance association to auto-scaling groups

autoscaling:DescribeAutoScalingGroups

  • Explore savings

  • Optimization

Automate

autoscaling:DescribeAutoScalingInstances

  • Explore savings

  • Optimization

Automate

Get, list, create, and delete SSM parameters for AD, FSx for ONTAP, and SQL user credentials used during deployment or managed in your AWS account

ssm:GetParameter 1

  • Deployment

  • Manage operations

  • Read

  • Automate

ssm:GetParameters 1

Manage operations

  • Read

  • Automate

ssm:PutParameter 1

  • Deployment

  • Manage operations

  • Read

  • Automate

ssm:DeleteParameters 1

Manage operations

  • Read

  • Automate

Associate network resources to SQL nodes and validation nodes, and add additional secondary IPs to SQL nodes

ec2:AllocateAddress 1

Deployment

Automate

ec2:AllocateHosts 1

Deployment

Automate

ec2:AssignPrivateIpAddresses 1

Deployment

Automate

ec2:AssociateAddress 1

Deployment

Automate

ec2:AssociateRouteTable 1

Deployment

Automate

ec2:AssociateSubnetCidrBlock 1

Deployment

Automate

ec2:AssociateVpcCidrBlock 1

Deployment

Automate

ec2:AttachInternetGateway 1

Deployment

Automate

ec2:AttachNetworkInterface 1

Deployment

Automate

Attach EBS volumes required to the SQL nodes for deployment

ec2:AttachVolume

Deployment

Automate

Attach security groups and modify rules for the provisioned nodes

ec2:AuthorizeSecurityGroupEgress

Deployment

Automate

ec2:AuthorizeSecurityGroupIngress

Deployment

Automate

Create EBS volumes required to the SQL nodes for deployment

ec2:CreateVolume

Deployment

Automate

Remove the temporary validation nodes created of type t2.micro and for rollback or retry of failed EC2 SQL nodes

ec2:DeleteNetworkInterface

Deployment

Automate

ec2:DeleteSecurityGroup

Deployment

Automate

ec2:DeleteTags

Deployment

Automate

ec2:DeleteVolume

Deployment

Automate

ec2:DetachNetworkInterface

Deployment

Automate

ec2:DetachVolume

Deployment

Automate

ec2:DisassociateAddress

Deployment

Automate

ec2:DisassociateIamInstanceProfile

Deployment

Automate

ec2:DisassociateRouteTable

Deployment

Automate

ec2:DisassociateSubnetCidrBlock

Deployment

Automate

ec2:DisassociateVpcCidrBlock

Deployment

Automate

Modify attributes for created SQL instances. Only applicable to names that start with WLMDB.

ec2:ModifyInstanceAttribute

Deployment

Automate

ec2:ModifyInstancePlacement

Deployment

Automate

ec2:ModifyNetworkInterfaceAttribute

Deployment

Automate

ec2:ModifySubnetAttribute

Deployment

Automate

ec2:ModifyVolume

Deployment

Automate

ec2:ModifyVolumeAttribute

Deployment

Automate

ec2:ModifyVpcAttribute

Deployment

Automate

Disassociate and destroy validation instances

ec2:ReleaseAddress

Deployment

Automate

ec2:ReplaceRoute

Deployment

Automate

ec2:ReplaceRouteTableAssociation

Deployment

Automate

ec2:RevokeSecurityGroupEgress

Deployment

Automate

ec2:RevokeSecurityGroupIngress

Deployment

Automate

Start the deployed instances

ec2:StartInstances

Deployment

Automate

Stop the deployed instances

ec2:StopInstances

Deployment

Automate

Tag custom values for Amazon FSx for NetApp ONTAP resources created by WLMDB to get billing details during resource management

fsx:TagResource 1

  • Deployment

  • Manage operations

Automate

Create and validate CloudFormation template for deployment

cloudformation:CreateStack

Deployment

Automate

cloudformation:DescribeStackEvents

Deployment

Automate

cloudformation:DescribeStacks

Deployment

Automate

cloudformation:ListStacks

Deployment

Automate

cloudformation:ValidateTemplate

Deployment

Automate

Fetch metrics for compute optimization recommendation

cloudwatch:GetMetricStatistics

Explore savings

Automate

Fetch directories available in the region

ds:DescribeDirectories

Deployment

Automate

Add rules for the Security Group attached to provisioned EC2 instances

ec2:AuthorizeSecurityGroupEgress

Deployment

Automate

ec2:AuthorizeSecurityGroupIngress

Deployment

Automate

Create nested stack templates for retry and rollback

ec2:CreateLaunchTemplate

Deployment

Automate

ec2:CreateLaunchTemplateVersion

Deployment

Automate

Manage tags and network security on created instances

ec2:CreateNetworkInterface

Deployment

Automate

ec2:CreateSecurityGroup

Deployment

Automate

ec2:CreateTags

Deployment

Automate

Delete the Security Group created temporarily for validation nodes

ec2:DeleteSecurityGroup

Deployment

Automate

Get instance details for provisioning

ec2:Describe*

  • Deployment

  • Inventory

  • Explore savings

Automate

ec2:Get*

  • Deployment

  • Inventory

  • Explore savings

Automate

Start the created instances

ec2:RunInstances

Deployment

Automate

Systems Manager uses AWS message delivery service endpoint for API operations

ec2messages:*

  • Deployment
    *Inventory

Automate

Create FSx for ONTAP resources required for provisioning. For existing FSx for ONTAP systems, a new SVM is created to host SQL volumes.

fsx:CreateFileSystem

Deployment

Automate

fsx:CreateStorageVirtualMachine

Deployment

Automate

fsx:CreateVolume

  • Deployment

  • Manage operations

Automate

Get FSx for ONTAP details

fsx:Describe*

  • Deployment

  • Inventory

  • Manage operations

  • Explore savings

Automate

fsx:List*

  • Deployment

  • Inventory

Automate

Resize FSx for ONTAP file system to remediate file system headroom

fsx:UpdateFilesystem

Optimization

Automate

Resize volumes to remediate log and TempDB drive sizes

fsx:UpdateVolume

Optimization

Automate

Get KMS key details and use for FSx for ONTAP encryption

kms:CreateGrant

Deployment

Automate

kms:Describe*

Deployment

Automate

kms:List*

Deployment

Automate

kms:GenerateDataKey

Deployment

Automate

Create CloudWatch logs for validation and provisioning scripts running on EC2 instances

logs:CreateLogGroup

Deployment

Automate

logs:CreateLogStream

Deployment

Automate

logs:DescribeLog*

Deployment

Automate

logs:GetLog*

Deployment

Automate

logs:ListLogDeliveries

Deployment

Automate

logs:PutLogEvents

  • Deployment

  • Manage operations

Automate

logs:TagResource

Deployment

Automate

Create secrets in a user account for the credentials provided for SQL, domain, and FSx for ONTAP

servicequotas:ListServiceQuotas

Deployment

Automate

List customer SNS topics and publish to WLMDB backend SNS as well as customer SNS if selected

sns:ListTopics

Deployment

Automate

sns:Publish

Deployment

Automate

Required SSM permissions to run the discovery script on provisioned SQL instances and to fetch latest list of FSx for ONTAP supported AWS regions.

ssm:Describe*

Deployment

Automate

ssm:Get*

  • Deployment

  • Manage operations

Automate

ssm:List*

Deployment

Automate

ssm:PutComplianceItems

Deployment

Automate

ssm:PutConfigurePackageResult

Deployment

Automate

ssm:PutInventory

Deployment

Automate

ssm:SendCommand

  • Deployment

  • Inventory

  • Manage operations

Automate

ssm:UpdateAssociationStatus

Deployment

Automate

ssm:UpdateInstanceAssociationStatus

Deployment

Automate

ssm:UpdateInstanceInformation

Deployment

Automate

ssmmessages:*

  • Deployment

  • Inventory

  • Manage operations

Automate

Save credentials for FSx for ONTAP, Active Directory, and SQL user (only for SQL user authentication)

ssm:GetParameter 1

  • Deployment

  • Manage operations

  • Inventory

Automate

ssm:GetParameters 1

  • Deployment

  • Inventory

Automate

ssm:PutParameter 1

  • Deployment

  • Manage operations

Automate

ssm:DeleteParameters 1

  • Deployment

  • Manage operations

Automate

Signal CloudFormation stack on success or failure.

cloudformation:SignalResource 1

Deployment

Automate

Add EC2 role created by template to the instance profile of EC2 to allow scripts on EC2 to access the required resources for deployment.

iam:AddRoleToInstanceProfile

Deployment

Automate

Create instance profile for EC2 and attach the created EC2 role.

iam:CreateInstanceProfile

Deployment

Automate

Create EC2 role through template with permissions listed below

iam:CreateRole

Deployment

Automate

Create role linked to EC2 service

iam:CreateServiceLinkedRole 2

Deployment

Automate

Delete instance profile created during deployment specifically for the validation nodes

iam:DeleteInstanceProfile

Deployment

Automate

Get the role and policy details to determine any gaps in permission and validate for deployment

iam:GetPolicy

Deployment

Automate

iam:GetPolicyVersion

Deployment

Automate

iam:GetRole

Deployment

Automate

iam:GetRolePolicy

Deployment

Automate

iam:GetUser

Deployment

Automate

Pass the role created to EC2 instance

iam:PassRole 3

Deployment

Automate

Add policy with required permissions to the EC2 role created

iam:PutRolePolicy

Deployment

Automate

Detach role from the provisioned EC2 instance profile

iam:RemoveRoleFromInstanceProfile

Deployment

Automate

Simulate workload operations to validate available permissions and compare with required AWS account permissions

iam:SimulatePrincipalPolicy

Deployment

  • Read

  • Automate

  1. Permission is restricted to resources starting with WLMDB.

  2. "iam:CreateServiceLinkedRole" limited by "iam:AWSServiceName": "ec2.amazonaws.com"*

  3. "iam:PassRole" limited by "iam:PassedToService": "ec2.amazonaws.com"*

Permissions for GenAI workloads

The IAM policies for VMware workloads provide the permissions that workload factory for VMware needs to manage resources and processes within your public cloud environment based on the operational mode you operate in.

GenAI IAM policies are only available in Operate mode:

IAM policies for GenAI workloads 
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "CloudformationGroup",
      "Effect": "Allow",
      "Action": [
        "cloudformation:CreateStack",
        "cloudformation:DescribeStacks"
      ],
      "Resource": "arn:aws:cloudformation:*:*:stack/wlmai*/*"
    },
    {
      "Sid": "EC2Group",
      "Effect": "Allow",
      "Action": [
        "ec2:AuthorizeSecurityGroupEgress",
        "ec2:AuthorizeSecurityGroupIngress"
      ],
      "Resource": "*",
      "Condition": {
        "StringLike": {
          "ec2:ResourceTag/aws:cloudformation:stack-name": "wlmai*"
        }
      }
    },
    {
      "Sid": "EC2DescribeGroup",
      "Effect": "Allow",
      "Action": [
        "ec2:DescribeRegions",
        "ec2:DescribeTags",
        "ec2:CreateVpcEndpoint",
        "ec2:CreateSecurityGroup",
        "ec2:CreateTags",
        "ec2:DescribeVpcs",
        "ec2:DescribeSubnets",
        "ec2:DescribeRouteTables",
        "ec2:DescribeKeyPairs",
        "ec2:DescribeSecurityGroups",
        "ec2:DescribeVpcEndpoints",
        "ec2:DescribeInstances",
        "ec2:DescribeImages",
        "ec2:RevokeSecurityGroupEgress",
        "ec2:RevokeSecurityGroupIngress",
        "ec2:RunInstances"
      ],
      "Resource": "*"
    },
    {
      "Sid": "IAMGroup",
      "Effect": "Allow",
      "Action": [
        "iam:CreateRole",
        "iam:CreatePolicy",
        "iam:CreateInstanceProfile",
        "iam:AddRoleToInstanceProfile",
        "iam:PutRolePolicy",
        "iam:GetRolePolicy",
        "iam:GetRole",
        "iam:TagRole"
      ],
      "Resource": "*"
    },
    {
      "Sid": "IAMGroup2",
      "Effect": "Allow",
      "Action": "iam:PassRole",
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "iam:PassedToService": "ec2.amazonaws.com"
        }
      }
    },
    {
      "Sid": "FSXNGroup",
      "Effect": "Allow",
      "Action": [
        "fsx:DescribeVolumes",
        "fsx:DescribeFileSystems",
        "fsx:DescribeStorageVirtualMachines",
        "fsx:ListTagsForResource"
      ],
      "Resource": "*"
    },
    {
      "Sid": "FSXNGroup2",
      "Effect": "Allow",
      "Action": [
        "fsx:UntagResource",
        "fsx:TagResource"
      ],
      "Resource": [
        "arn:aws:fsx:*:*:volume/*/*",
        "arn:aws:fsx:*:*:storage-virtual-machine/*/*"
      ]
    },
    {
      "Sid": "SSMParameterStore",
      "Effect": "Allow",
      "Action": [
        "ssm:GetParameter",
        "ssm:PutParameter"
      ],
      "Resource": "arn:aws:ssm:*:*:parameter/netapp/wlmai/*"
    },
    {
      "Sid": "SSM",
      "Effect": "Allow",
      "Action": [
        "ssm:GetParameters",
        "ssm:GetParametersByPath"
      ],
      "Resource": "arn:aws:ssm:*:*:parameter/aws/service/*"
    },
    {
      "Sid": "SSMMessages",
      "Effect": "Allow",
      "Action": [
        "ssm:GetCommandInvocation"
      ],
      "Resource": "*"
    },
    {
      "Sid": "SSMCommandDocument",
      "Effect": "Allow",
      "Action": [
        "ssm:SendCommand"
      ],
      "Resource": [
        "arn:aws:ssm:*:*:document/AWS-RunShellScript"
      ]
    },
    {
      "Sid": "SSMCommandInstance",
      "Effect": "Allow",
      "Action": [
        "ssm:SendCommand",
        "ssm:GetConnectionStatus"
      ],
      "Resource": [
        "arn:aws:ec2:*:*:instance/*"
      ],
      "Condition": {
        "StringLike": {
          "ssm:resourceTag/aws:cloudformation:stack-name": "wlmai-*"
        }
      }
    },
    {
      "Sid": "KMS",
      "Effect": "Allow",
      "Action": [
        "kms:GenerateDataKey",
        "kms:Decrypt"
      ],
      "Resource": "*"
    },
    {
      "Sid": "SNS",
      "Effect": "Allow",
      "Action": [
        "sns:Publish"
      ],
      "Resource": "*"
    },
    {
      "Sid": "CloudWatch",
      "Effect": "Allow",
      "Action": [
        "logs:DescribeLogGroups"
      ],
      "Resource": "*"
    },
    {
      "Sid": "CloudWatchAiEngine",
      "Effect": "Allow",
      "Action": [
        "logs:CreateLogGroup",
        "logs:PutRetentionPolicy",
        "logs:TagResource",
        "logs:DescribeLogStreams"
      ],
      "Resource": "arn:aws:logs:*:*:log-group:/netapp/wlmai*"
    },
    {
      "Sid": "CloudWatchAiEngineLogStream",
      "Effect": "Allow",
      "Action": [
        "logs:GetLogEvents"
      ],
      "Resource": "arn:aws:logs:*:*:log-group:/netapp/wlmai*:*"
    },
    {
      "Sid": "BedrockGroup",
      "Effect": "Allow",
      "Action": [
        "bedrock:InvokeModelWithResponseStream",
        "bedrock:InvokeModel",
        "bedrock:ListFoundationModels",
        "bedrock:GetFoundationModelAvailability",
        "bedrock:GetModelInvocationLoggingConfiguration",
        "bedrock:PutModelInvocationLoggingConfiguration",
        "bedrock:ListInferenceProfiles"
      ],
      "Resource": "*"
    },
    {
      "Sid": "CloudWatchBedrock",
      "Effect": "Allow",
      "Action": [
        "logs:CreateLogGroup",
        "logs:PutRetentionPolicy",
        "logs:TagResource"
      ],
      "Resource": "arn:aws:logs:*:*:log-group:/aws/bedrock*"
    },
    {
      "Sid": "BedrockLoggingAttachRole",
      "Effect": "Allow",
      "Action": [
        "iam:AttachRolePolicy",
        "iam:PassRole"
      ],
      "Resource": "arn:aws:iam::*:role/NetApp_AI_Bedrock*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "iam:SimulatePrincipalPolicy"
      ],
      "Resource": "*"
    }
  ]
}
JSON
Copy

The following table provides details about the permissions for GenAI workloads.

Table of permissions for GenAI workloads
Purpose Action Where used Mode

Create AI engine cloudformation stack during deploy and rebuild operations

cloudformation:CreateStack

Deployment

Automate

Create the AI engine cloudformation stack

cloudformation:DescribeStacks

Deployment

Automate

List regions for the AI engine deployment wizard

ec2:DescribeRegions

Deployment

Automate

Display AI engine tags

ec2:DescribeTags

Deployment

Automate

List VPC endpoints before AI engine stack creation

ec2:CreateVpcEndpoint

Deployment

Automate

Create an AI engine security group during the AI engine stack creation during deploy and rebuild operations

ec2:CreateSecurityGroup

Deployment

Automate

Tag resources created by AI engine stack creation during deploy and rebuild operations

ec2:CreateTags

Deployment

Automate

Publish encrypted events to the WLMAI backend from the AI engine stack

kms:GenerateDataKey

Deployment

Automate

kms:Decrypt

Deployment

Automate

Publish events and custom resources to the WLMAI backend from the ai-engine stack

sns:Publish

Deployment

Automate

List VPCs during AI engine deployment wizard

ec2:DescribeVpcs

Deployment

Automate

List subnets on the ai-engine deployment wizard

ec2:DescribeSubnets

Deployment

Automate

Get route tables during AI engine deployment and rebuild

ec2:DescribeRouteTables

Deployment

Automate

List key-pairs during AI engine deployment wizard

ec2:DescribeKeyPairs

Deployment

Automate

List security groups during AI engine stack creation (to find security groups on the private endpoints)

ec2:DescribeSecurityGroups

Deployment

Automate

Get VPC endpoints to determine if any should be created during the AI engine deployment

ec2:DescribeVpcEndpoints

Deployment

Automate

List instances to find out the AI engine state

ec2:DescribeInstances

Troubleshooting

Automate

List images during the AI engine stack creation during deploy and rebuild operations

ec2:DescribeImages

Deployment

Automate

Create and update AI instance and private endpoint security group during the AI instance stack creation during on deploy and rebuild operations

ec2:RevokeSecurityGroupEgress

Deployment

Automate

ec2:RevokeSecurityGroupIngress

Deployment

Automate

Run AI engine during cloudformation stack creation during deploy and rebuild operations

ec2:RunInstances

Deployment

Automate

Attach security group and modify rules for the AI engine during stack creation during deploy and rebuild operations

ec2:AuthorizeSecurityGroupEgress

Deployment

Automate

ec2:AuthorizeSecurityGroupIngress

Deployment

Automate

Query Amazon Bedrock / Amazon CloudWatch logging status during AI engine deployment

bedrock:GetModelInvocationLoggingConfiguration

Deployment

Automate

Initiate chat request to one of the foundation models

bedrock:InvokeModelWithResponseStream

Deployment

Automate

Begin chat/embedding request for foundation models

bedrock:InvokeModel

Deployment

Automate

Show the available foundation models in a region

bedrock:ListFoundationModels

Deployment

Automate

Verify access to the foundation model

bedrock:GetFoundationModelAvailability

Deployment

Automate

Verify need to create Amazon CloudWatch log group during deploy and rebuild operations

logs:DescribeLogGroups

Deployment

Automate

Get regions that support FSx and Amazon Bedrock during the AI engine wizard

ssm:GetParametersByPath

Deployment

Automate

Get the latest Amazon Linux image for the AI engine deployment during deploy and rebuild operations

ssm:GetParameters

Deployment

Automate

Get the SSM response from the command sent to the AI engine

ssm:GetCommandInvocation

Deployment

Automate

Check the SSM connection to the AI engine

ssm:SendCommand

Deployment

Automate

ssm:GetConnectionStatus

Deployment

Automate

Create AI engine instance profile during stack creation during deploy and rebuild operations

iam:CreateRole

Deployment

Automate

iam:CreateInstanceProfile

Deployment

Automate

iam:AddRoleToInstanceProfile

Deployment

Automate

iam:PutRolePolicy

Deployment

Automate

iam:GetRolePolicy

Deployment

Automate

iam:GetRole

Deployment

Automate

iam:TagRole

Deployment

Automate

iam:PassRole

Deployment

Automate

Simulate workload operations to validate available permissions and compare with required AWS account permissions

iam:SimulatePrincipalPolicy

Deployment

Automate

List FSx for ONTAP file systems during the "Create knowledgebase" wizard

fsx:DescribeVolumes

Knowledge base creation

Automate

List FSx for ONTAP file system volumes during the "Create knowledgebase" wizard

fsx:DescribeFileSystems

Knowledge base creation

Automate

Manage knowledge bases on the AI engine during rebuild operations

fsx:ListTagsForResource

Troubleshooting

Automate

List FSx for ONTAP file system storage virtual machines during the "Create knowledgebase" wizard

fsx:DescribeStorageVirtualMachines

Deployment

Automate

Move the knowledgebase to a new instance

fsx:UntagResource

Troubleshooting

Automate

Manage knowledgebase on the AI engine during rebuild

fsx:TagResource

Troubleshooting

Automate

Save SSM secrets (ECR token, CIFS credentials, tenancy service accounts keys) in a secure way

ssm:GetParameter

Deployment

Automate

ssm:PutParameter

Deployment

Automate

Send the AI engine logs to Amazon CloudWatch log group during deploy and rebuild operations

logs:CreateLogGroup

Deployment

Automate

logs:PutRetentionPolicy

Deployment

Automate

Send the AI engine logs to Amazon CloudWatch log group

logs:TagResource

Troubleshooting

Automate

Get SSM response from Amazon CloudWatch (when the response is too long)

logs:DescribeLogStreams

Troubleshooting

Automate

Get the SSM response from Amazon CloudWatch

logs:GetLogEvents

Troubleshooting

Automate

Create Amazon CloudWatch log group for Amazon Bedrock logs during the stack reation during deploy and rebuild operations

logs:CreateLogGroup

Deployment

Automate

logs:PutRetentionPolicy

Deployment

Automate

logs:TagResource

Deployment

Automate

Send bedrock logs to Amazon CloudWatch

bedrock:PutModelInvocationLoggingConfiguration

Troubleshooting

Automate

Create the role that enables sending Amazon Bedrock logs to Amazon CloudWatch

iam:AttachRolePolicy

Troubleshooting

Automate

Create the role that enables sending Amazon Bedrock logs to Amazon CloudWatch

iam:PassRole

Troubleshooting

Automate

Create the role that enables sending Amazon Bedrock logs to Amazon CloudWatch

iam:createPolicy

Troubleshooting

Automate

List inference profiles for the model

bedrock:ListInferenceProfiles

Troubleshooting

Automate

Permissions for VMware workloads

The IAM policies for VMware workloads provide the permissions that workload factory for VMware needs to manage resources and processes within your public cloud environment based on the operational mode you operate in.

Select your operational mode to view the required IAM policies:

IAM policies for VMware workloads
Read mode
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ec2:DescribeRegions",
        "ec2:DescribeAvailabilityZones",
        "ec2:DescribeVpcs",
        "ec2:DescribeSecurityGroups",
        "ec2:DescribeSubnets",
        "ssm:GetParametersByPath",
        "kms:DescribeKey",
        "kms:ListKeys",
        "kms:ListAliases"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "iam:SimulatePrincipalPolicy"
      ],
      "Resource": "*"
    }
  ]
}
JSON
Copy

The following table provides details about the permissions for VMware workloads.

Table of permissions for VMware workloads
Purpose Action Where used Mode

Attach security groups and modify rules for the provisioned nodes

ec2:AuthorizeSecurityGroupIngress

Deployment

Automate

Create EBS volumes

ec2:CreateVolume

Deployment

Automate

Tag custom values for FSx for NetApp ONTAP resources created by VMware workloads

fsx:TagResource

Deployment

Automate

Create and validate the CloudFormation template

cloudformation:CreateStack

Deployment

Automate

Manage tags and network security on created instances

ec2:CreateSecurityGroup

Deployment

Automate

Start the created instances

ec2:RunInstances

Deployment

Automate

Get EC2 instance details

ec2:DescribeInstances

Deployment

Automate

List images during the stack creation during deploy and rebuild operations

ec2:DescribeImages

Deployment

Automate

Get the VPCs in the selected environment to complete deployment form

ec2:DescribeVpcs

  • Deployment

  • Inventory

  • Read

  • Automate

Get the subnets in selected environment to complete deployment form

ec2:DescribeSubnets

  • Deployment

  • Inventory

  • Read

  • Automate

Get the security groups in selected environment to complete deployment form

ec2:DescribeSecurityGroups

Deployment

  • Read

  • Automate

Get the availability zones in selected environment

ec2:DescribeAvailabilityZones

  • Deployment

  • Inventory

  • Read

  • Automate

Get the regions with Amazon FSx for NetApp ONTAP support

ec2:DescribeRegions

Deployment

  • Read

  • Automate

Get KMS keys' aliases to be used for Amazon FSx for NetApp ONTAP encryption

kms:ListAliases

Deployment

  • Read

  • Automate

Get KMS keys to be used for Amazon FSx for NetApp ONTAP encryption

kms:ListKeys

Deployment

  • Read

  • Automate

Get KMS keys expiry details to be used for Amazon FSx for NetApp ONTAP encryption

kms:DescribeKey

Deployment

  • Read

  • Automate

SSM based query is used to get the updated list of Amazon FSx for NetApp ONTAP supported regions

ssm:GetParametersByPath

Deployment

  • Read

  • Automate

Create Amazon FSx for NetApp ONTAP resources required for provisioning

fsx:CreateFileSystem

Deployment

Automate

fsx:CreateStorageVirtualMachine

Deployment

Automate

fsx:CreateVolume

  • Deployment

  • Management operations

Automate

Get Amazon FSx for NetApp ONTAP details

fsx:Describe*

  • Deployment

  • Inventory

  • Management operations

  • Explore savings

Automate

fsx:List*

  • Deployment

  • Inventory

Automate

Get KMS key details and use for Amazon FSx for NetApp ONTAP encryption

kms:CreateGrant

Deployment

Automate

kms:Describe*

Deployment

Automate

kms:List*

Deployment

Automate

kms:Decrypt

Deployment

Automate

kms:GenerateDataKey

Deployment

Automate

List customer SNS topics and publish to WLMVMC backend SNS as well as customer SNS if selected

sns:Publish

Deployment

Automate

Used to fetch latest list of Amazon FSx for NetApp ONTAP supported AWS regions

ssm:Get*

  • Deployment

  • Management operations

Automate

Simulate workload operations to validate available permissions and compare with required AWS account permissions

iam:SimulatePrincipalPolicy

Deployment

Automate

SSM Parameter store is used to save credentials of Amazon FSx for NetApp ONTAP

ssm:GetParameter

  • Deployment

  • Management operations

  • Inventory

Automate

ssm:PutParameters

  • Deployment

  • Inventory

Automate

ssm:PutParameter

  • Deployment

  • Management operations

Automate

ssm:DeleteParameters

  • Deployment

  • Management operations

Automate

Change log

As permissions are added and removed, we'll note them in the sections below.

2 April 2025

The following permission is now available in read mode for Databases: ssm:DescribeInstanceInformation.

30 March 2025

GenAI workload permissions update

The following permissions are now available in automate mode for GenAI:

  • bedrock:PutModelInvocationLoggingConfiguration

  • iam:AttachRolePolicy

  • iam:PassRole

  • iam:createPolicy

  • bedrock:ListInferenceProfiles

The following permission has been removed from automate mode for GenAI: Bedrock:GetFoundationModel.

iam:SimulatePrincipalPolicy permission update

The iam:SimulatePrincipalPolicy permission is part of all workload permission policies if you enable the automatic permissions check when adding additional AWS account credentials or adding a new workload capability from the workload factory console. The permission simulates workload operations and checks if you have the required AWS account permissions before deploying resources from workload factory. Enabling this check reduces the time and effort that you might need to clean up resources from failed operations and to add in missing permissions.

2 March 2025

The following permission is now available in automate mode for GenAI: bedrock:GetFoundationModel.

3 February 2025

The following permission is now available in read mode for Databases: iam:SimulatePrincipalPolicy.