AWS TGW

Objective

This document explains the various types of required policies that grant permissions for users to create or modify resources as part of deploying Volterra TGW sites on AWS. This document also provides instructions to create a service account using the AWS cloud formation templates.

AWS TGW Policies

The required policies are managed using the AWS IAM service. Log into AWS console and navigate to IAM dashboard. Select Access Management -> Users. Select a user for which the policies need to be applied to grant permissions for deploying AWS cloud resources. In the Permissions tab, click Add permissions to add the required permissions listed in the following chapters. You can open an attached group and select the JSON view to check and ensure that correct permissions are applied.

The following is the JSON view of the required policy and permissions to deploy AWS Transit Gateway (TGW) site:

Note: You can use the AWS TGW Site Template to create service accounts for users.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "autoscaling:AttachLoadBalancerTargetGroups",
                "autoscaling:AttachLoadBalancers",
                "autoscaling:CreateAutoScalingGroup",
                "autoscaling:CreateLaunchConfiguration",
                "autoscaling:DeleteAutoScalingGroup",
                "autoscaling:DeleteLaunchConfiguration",
                "autoscaling:DescribeAutoScalingGroups",
                "autoscaling:DescribeLaunchConfigurations",
                "autoscaling:DescribeLoadBalancerTargetGroups",
                "autoscaling:DescribeLoadBalancers",
                "autoscaling:DetachLoadBalancerTargetGroups",
                "autoscaling:DetachLoadBalancers",
                "autoscaling:DisableMetricsCollection",
                "autoscaling:EnableMetricsCollection",
                "autoscaling:ResumeProcesses",
                "autoscaling:SuspendProcesses",
                "autoscaling:UpdateAutoScalingGroup"
            ],
            "Resource": "*",
            "Effect": "Allow",
            "Sid": "AutoScalingPermissions"
        },
        {
            "Action": [
                "ec2:AddTags",
                "ec2:AllocateAddress",
                "ec2:AssignPrivateIpAddresses",
                "ec2:AssociateAddress",
                "ec2:AssociateIamInstanceProfile",
                "ec2:AssociateRouteTable",
                "ec2:AssociateSubnetCidrBlock",
                "ec2:AssociateTransitGatewayRouteTable",
                "ec2:AssociateVpcCidrBlock",
                "ec2:AttachInternetGateway",
                "ec2:AttachNetworkInterface",
                "ec2:AuthorizeSecurityGroupEgress",
                "ec2:AuthorizeSecurityGroupIngress",
                "ec2:CreateCustomerGateway",
                "ec2:CreateInternetGateway",
                "ec2:CreateNetworkInterface",
                "ec2:CreateRoute",
                "ec2:CreateRouteTable",
                "ec2:CreateSecurityGroup",
                "ec2:CreateSubnet",
                "ec2:CreateTags",
                "ec2:CreateTransitGateway",
                "ec2:CreateTransitGatewayRouteTable",
                "ec2:CreateTransitGatewayVpcAttachment",
                "ec2:CreateVpc",
                "ec2:CreateVpnConnection",
                "ec2:DeleteCustomerGateway",
                "ec2:DeleteInternetGateway",
                "ec2:DeleteNetworkInterface",
                "ec2:DeleteRoute",
                "ec2:DeleteRouteTable",
                "ec2:DeleteSecurityGroup",
                "ec2:DeleteSubnet",
                "ec2:DeleteTags",
                "ec2:DeleteTransitGateway",
                "ec2:DeleteTransitGatewayRouteTable",
                "ec2:DeleteTransitGatewayVpcAttachment",
                "ec2:DeleteVpc",
                "ec2:DeleteVpnConnection",
                "ec2:DescribeAddresses",
                "ec2:DescribeCustomerGateways",
                "ec2:DescribeIamInstanceProfileAssociations",
                "ec2:DescribeImages",
                "ec2:DescribeInstanceAttribute",
                "ec2:DescribeInstanceCreditSpecifications",
                "ec2:DescribeInstances",
                "ec2:DescribeInternetGateways",
                "ec2:DescribeNetworkAcls",
                "ec2:DescribeNetworkInterfaces",
                "ec2:DescribeRouteTables",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeSubnets",
                "ec2:DescribeTags",
                "ec2:DescribeTransitGatewayAttachments",
                "ec2:DescribeTransitGatewayPeeringAttachments",
                "ec2:DescribeTransitGatewayRouteTables",
                "ec2:DescribeTransitGatewayVpcAttachments",
                "ec2:DescribeTransitGateways",
                "ec2:DescribeTransitGateways",
                "ec2:DescribeVolumes",
                "ec2:DescribeVolumesModifications",
                "ec2:DescribeVpcAttribute",
                "ec2:DescribeVpcClassicLink",
                "ec2:DescribeVpcClassicLinkDnsSupport",
                "ec2:DescribeVpcs",
                "ec2:DescribeVpnConnections",
                "ec2:DetachInternetGateway",
                "ec2:DetachNetworkInterface",
                "ec2:DisableTransitGatewayRouteTablePropagation",
                "ec2:DisableVgwRoutePropagation",
                "ec2:DisassociateAddress",
                "ec2:DisassociateIamInstanceProfile",
                "ec2:DisassociateRouteTable",
                "ec2:DisassociateSubnetCidrBlock",
                "ec2:DisassociateTransitGatewayRouteTable",
                "ec2:DisassociateVpcCidrBlock",
                "ec2:EnableTransitGatewayRouteTablePropagation",
                "ec2:EnableVgwRoutePropagation",
                "ec2:GetPasswordData",
                "ec2:GetTransitGatewayRouteTableAssociations",
                "ec2:GetTransitGatewayRouteTablePropagations",
                "ec2:ModifyInstanceAttribute",
                "ec2:ModifyInstanceCreditSpecification",
                "ec2:ModifyInstanceMetadataOptions",
                "ec2:ModifyNetworkInterfaceAttribute",
                "ec2:ModifySubnetAttribute",
                "ec2:ModifyTransitGatewayVpcAttachment",
                "ec2:ModifyVolume",
                "ec2:ModifyVpcAttribute",
                "ec2:MonitorInstances",
                "ec2:ReleaseAddress",
                "ec2:ReplaceIamInstanceProfileAssociation",
                "ec2:ReplaceRoute",
                "ec2:ReplaceRouteTableAssociation",
                "ec2:RevokeSecurityGroupEgress",
                "ec2:RevokeSecurityGroupIngress",
                "ec2:RunInstances",
                "ec2:SearchTransitGatewayRoutes",
                "ec2:StartInstances",
                "ec2:StopInstances",
                "ec2:TerminateInstances",
                "ec2:UnassignPrivateIpAddresses",
                "ec2:UnmonitorInstances"
            ],
            "Resource": "*",
            "Effect": "Allow",
            "Sid": "EC2Permissions"
        },
        {
            "Action": [
                "elasticloadbalancing:AddTags",
                "elasticloadbalancing:CreateListener",
                "elasticloadbalancing:CreateLoadBalancer",
                "elasticloadbalancing:CreateTags",
                "elasticloadbalancing:CreateTargetGroup",
                "elasticloadbalancing:DeleteListener",
                "elasticloadbalancing:DeleteLoadBalancer",
                "elasticloadbalancing:DeleteTags",
                "elasticloadbalancing:DeleteTargetGroup",
                "elasticloadbalancing:DeregisterTargets",
                "elasticloadbalancing:DescribeInstanceHealth",
                "elasticloadbalancing:DescribeListeners",
                "elasticloadbalancing:DescribeLoadBalancerAttributes",
                "elasticloadbalancing:DescribeLoadBalancers",
                "elasticloadbalancing:DescribeTags",
                "elasticloadbalancing:DescribeTargetGroupAttributes",
                "elasticloadbalancing:DescribeTargetGroups",
                "elasticloadbalancing:DescribeTargetHealth",
                "elasticloadbalancing:ModifyListener",
                "elasticloadbalancing:ModifyLoadBalancerAttributes",
                "elasticloadbalancing:ModifyTargetGroup",
                "elasticloadbalancing:ModifyTargetGroupAttributes",
                "elasticloadbalancing:RegisterTargets",
                "elasticloadbalancing:RemoveTags"
            ],
            "Resource": "*",
            "Effect": "Allow",
            "Sid": "ELBPermissions"
        },
        {
            "Action": [
                "iam:AddRoleToInstanceProfile",
                "iam:AttachRolePolicy",
                "iam:CreateInstanceProfile",
                "iam:CreatePolicy",
                "iam:CreatePolicyVersion",
                "iam:CreateRole",
                "iam:DeleteInstanceProfile",
                "iam:DeletePolicy",
                "iam:DeletePolicyVersion",
                "iam:DeleteRole",
                "iam:DeleteRolePermissionsBoundary",
                "iam:DeleteRolePolicy",
                "iam:DetachRolePolicy",
                "iam:GetInstanceProfile",
                "iam:GetPolicy",
                "iam:GetPolicyVersion",
                "iam:GetRole",
                "iam:ListAttachedRolePolicies",
                "iam:ListInstanceProfilesForRole",
                "iam:ListPolicyVersions",
                "iam:ListRolePolicies",
                "iam:PassRole",
                "iam:PutRolePermissionsBoundary",
                "iam:RemoveRoleFromInstanceProfile",
                "iam:TagRole",
                "iam:UpdateAssumeRolePolicy",
                "iam:UpdateRole",
                "iam:UpdateRoleDescription"
            ],
            "Resource": "*",
            "Effect": "Allow",
            "Sid": "IAMPermissions"
        }
    ]
}

Create AWS Service Accounts

You can use the AWS Cloud Formation Template to create service accounts in AWS to provision Volterra AWS TGW site.

Perform the following steps:

Note: The AWS Command Line Interface is required. See AWS CLI for more information.

Step 1: Create stack using the cloud formation template for AWS VPC site.

Use aws cloudformation create-stack command to create the stack. The following is an example:

 aws cloudformation create-stack --stack-name <STACK_NAME> \
 --template-body file://./aws-tgw-site-service-account.yaml \
 --parameters file://./parameters.json --capabilities CAPABILITY_NAMED_IAM

The following list provides field description for the above command:

  • STACK_NAME - The name associated with the AWS Cloud Formation stack. For example, volt-tgw-policy.
  • template-body - use AWS Cloud Formation Template
  • Parameters - The parameters JSON file contains the list of parameters passed to the AWS Cloud Fomation template.
  • Capabilities - Required capabilities to create the AWS Cloud Formation stack.

Note: Update the password in parameters.json file.

Step 2: Obtain details of stack created.

Use the aws cloudformation describe-stack command to obtain the details of the stack created in Step 1:

aws cloudformation describe-stacks --stack-name <STACK_NAME>

The STACK_NAME is the name provided in Step 1. The above command returns a JSON file which provides information about the user created by the AWS Cloud Formation tempalte. Note down the Access Key and the Secret Key from the outputs section of the returned JSON.

The Access Key and the Secret Key can be used to create the AWS Programmatic Access Credentials on VoltConsole. See AWS Cloud Credentials for more information.