AWS Configuration
The following page outlines how to enable AWS features through the AWS management console on Anyware Manager. The first step is to create a policy that can be attached to a service account. This service account allows Anyware Manager to manage resources within the provided AWS account.
Roles and Permissions for AWS¶
Prior to creating and assigning a permissions policy, you need to ensure that it contains the following permissions:
- Service: EC2
- Actions:
- List: DescribeInstances
- Write: RebootInstances StartInstances StopInstances TerminateInstances
There are additional permissions needed to verify that the policy has all the required permissions before being added to a deployment:
- Service: IAM
- Actions:
- List: ListAttachedUserPolicies ListUserPolicies
- Read: GetUser GetUserPolicy GetPolicy GetPolicyVersion SimulatePrincipalPolicy
If the user tries to add an AWS policy that doesn't have these permissions, Anyware Manager adds the policy but does not validate that it has the required permissions.
Please note the permissions required for AWS configuration with Anyware Manager as a Service are different to the permissions required for Anyware Manager. See AWS Permissions Policies for Anyware Manager as a Service for information on these permissions. Currently, the permissions required for Azure and GCP configuration are the same between Anyware Manager and Anyware Manager as a Service.
Create a Anyware Manager Policy in AWS¶
The following steps outline how to create the required AWS policy that you can attach to a AWS User to manage AWS resources:
- Go to the IAM Management page in the AWS management console.
- From the sidebar, click Policies.
- Click Create policy.
- For Service click EC2 from the list of services.
- Under Access level expand the List section and select DescribeInstances.
- Under Access level expand the Write section and select the following permissions:
- RebootInstances
- StartInstances
- StopInstances
- TerminateInstances
- For Service click IAM from the list of services.
- Under Access level expand the Read section and select the following permissions:
- GetUser
- SimulatePrincipalPolicy
- For Resources click All resources.
- Leave Request conditions blank and click Review policy.
- Give the newly created policy a name and click Create policy.
Create Anyware Manager Service Account for AWS¶
This service account has the ability to perform required actions in AWS. This lets the service account manage resources that the user has access to.
The following steps outline how to create the CAM service account:
- Go to the IAM Management page in the AWS management console.
- From the sidebar, click Users.
- Click Add user.
- Give the user a name and select Programmatic access as the Access type.
- Click Next: Permissions.
- Click Attach existing policies directly and search for the policy you created above that has EC2 permissions and select it. Optionally, you can add a tag to this role.
- Click Next:Review.
- Click Create user
- Copy the User name, Access key ID and Secret access key credentials and save them to a secure location.
Add the AWS Service Account to a Anyware Manager Deployment¶
The next step requires you to add the AWS service account you have created from the previous steps in the AWS management console to Anyware Manager. This service account will have the CAM policy created in the previous step.
The following steps outline how to add the information to Anyware Manager:
- Log in to Anyware Manager.
- Select the Anyware Manager deployment ou want to add the AWS service account to.
- Click Edit Deployment.
- Click the Cloud service accounts tab and open the AWS container.
- Enter the User name, Access key ID and Secret access key values that you saved previously in the AWS form.
- Click Submit.
Anyware Manager should be able to manage AWS machines that get added to this deployment.