Skip to content

Cloud Service Account Requirements

CAS Manager as a Service's capabilites are enhanced if you provide service account or role credentials for your specific cloud environment. This section describes which capabilities are enabled by providing service account access, and what levels of access are required to restrict accounts.

Roles and Permission Policies - AWS

You can use the AWS Management Console to create a role which CAS Manager as a Service is able to assume. For more information on creating roles in AWS, see Creating a role to delegate permissions to an IAM user. You must use the Account ID and External ID that can be generated from the Admin Console, for information on how to generate these credentials, see the section outlined below.

AWS Cloud Credentials for CAS Manager as a Service

The following section outlines how to generate the Account ID and External ID from the CAS Manager Admin Console. The following steps outline how to generate a CAS Manager Account ID and External ID:

  1. In the CAS Manager Admin Console select the deployment you wish to use.
  2. Click Edit Deployment.
  3. Click Cloud Service Accounts.
  4. Select AWS and click Generate. Ensure you copy the CAS Manager Account ID and External ID and save them to your clipboard.

AWS Role Creation and Permission Policy

You must create a role in your AWS account which CAS Manager as a Service is able to assume. You must use the Account ID and External IDs when creating the AWS role. For more information on creating roles in AWS, see here.

Once you have entered the CAS Manager Account ID and External ID and created the AWS role, you will need to create a permissions policy for CAS Manager as a Service that contains the permissions outlined in the section below.

AWS Permissions Policies

Once you have created the role in the AWS Management Console you can create and assign a permissions policy that contains the following permissions:

  • Service: EC2
  • Actions:
    • List: DescribeInstances
    • Write: RebootInstances StartInstances StopInstances TerminateInstances

There are additional permissions needed to verify that the role has all the required permissions before being added to a deployment:

  • Service: IAM
  • Actions

    • Read: SimulatePrincipalPolicy

    The following example can be copied and pasted into the JSON field when creating the policy instead of manually selecting each role:

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "VisualEditor0",
                "Effect": "Allow",
                "Action": [
                    "ec2:DescribeInstances",
                    "ec2:RebootInstances",
                    "ec2:StartInstances",
                    "ec2:StopInstances",
                    "ec2:TerminateInstances",
                    "iam:SimulatePrincipalPolicy"
                ],
                "Resource": "*"
            }
        ]
    }
    

    If the user tries to add an AWS role that doesn't have these permissions, CAS Manager as a Service will still add the role but will not validate that it has the required permissions.

    You can now associate a permissions policy to this role.

Service Account Permission Requirements - Azure

You need a service account that has adequate permissions and can manage compute instances to power manage a remote workstation in Microsoft Azure with CAS Manager as a Service. The following roles are required:

  • Reader
  • Virtual Machine Contributor

For information on how to create a new Client Secret from Azure, see here.

Azure Client Secret

Once you generate the client secret you need to copy it straight away as it will not be available again from Microsoft. If you have an expired client secret you need to delete it and then create a new secret and assign it to that deployment.

Service Account Permission Requirements - GCP

You need a service account that has adequate permissions and can manage compute instances to provision a remote workstation in Google Cloud Platform (GCP) with CAS Manager as a Service.

The table below outlines the default roles that are required for the service account on GCP, and which features they are required for.

Default Roles and Feature Requirements - GCP

Default Roles Workstation Provisioning Power Management
Deployment Manager Editor Required
Compute Admin Required Required
Cloud KMS Admin Required
Cloud KMS CryptoKey Encrypter/Decrypter Required

For GCP the service account requires access to the following APIs:

  • Service Usage API
  • Cloud Resource Manager API
  • Cloud Deployment Manager V2 API
  • Cloud Key Management Service (KMS)
  • Compute Engine API

Key File Storage

CAS Manager as a Service does not store the key file provided and only extracts the fields that are entered into the dialog.

The following links have more information on GCP service accounts:

Creating a Cloud IAM Custom Role

Users can create a single custom IAM role by using the following permissions for CAS Manager as a Service:

  • cloudkms.cryptoKeyVersions.useToDecrypt
  • cloudkms.cryptoKeyVersions.useToEncrypt
  • cloudkms.cryptoKeys.create
  • cloudkms.cryptoKeys.get
  • cloudkms.keyRings.create
  • cloudkms.keyRings.get
  • compute.acceleratorTypes.list
  • compute.addresses.create
  • compute.addresses.delete
  • compute.diskTypes.list
  • compute.disks.list
  • compute.images.list
  • compute.instances.create
  • compute.instances.delete
  • compute.instances.get
  • compute.instances.getGuestAttributes
  • compute.instances.osLogin
  • compute.instances.reset
  • compute.instances.setMetadata
  • compute.instances.setServiceAccount
  • compute.instances.setTags
  • compute.instances.start
  • compute.instances.stop
  • compute.instances.suspend
  • compute.instances.update
  • compute.instances.updateNetworkInterface
  • compute.instances.use
  • compute.machineTypes.list
  • compute.networks.create
  • compute.networks.list
  • compute.regions.list
  • compute.subnetworks.list
  • compute.zones.get
  • compute.zones.list
  • deploymentmanager.deployments.create
  • deploymentmanager.deployments.delete
  • deploymentmanager.deployments.get
  • deploymentmanager.resources.list
  • resourcemanager.projects.get

Using these permissions you can create a custom IAM role. If you use this single custom role you do not need to use other default roles discussed above. For information how to do this, see Creating and managing custom roles.