Provider Service Account Requirements
Anyware Manager as a Service's capabilites are enhanced if you provide service account or role credentials for your specific cloud environment. This section describes which capabilities are enabled by providing service account access, and what levels of access are required to restrict accounts.
Roles and Permission Policies - AWS¶
You can use the AWS Management Console to create a role which Anyware Manager as a Service is able to assume. For more information on creating roles in AWS, see Creating a role to delegate permissions to an IAM user. You must use the Account ID and External ID that can be generated from the Admin Console, for information on how to generate these credentials, see the section outlined below.
AWS Provider Credentials for Anyware Manager as a Service¶
The following section outlines how to generate the Account ID and External ID from the Anyware Manager Admin Console. The following steps outline how to generate a Anyware Manager Account ID and External ID:
- In the Anyware Manager Admin Console select the deployment you wish to use.
- Click Edit Deployment.
- Click Provider Service Accounts.
- Select AWS and click Generate. Ensure you copy the Anyware Manager Account ID and External ID and save them to your clipboard.
AWS Role Creation and Permission Policy
You must create a role in your AWS account which Anyware Manager as a Service is able to assume. You must use the Account ID and External IDs when creating the AWS role. For more information on creating roles in AWS, see here.
Once you have entered the Anyware Manager Account ID and External ID and created the AWS role, you will need to create a permissions policy for Anyware Manager as a Service that contains the permissions outlined in the section below.
AWS Permissions Policies¶
Once you have created the role in the AWS Management Console you can create and assign a permissions policy that contains the following permissions:
- Service: EC2
- Actions:
- List: DescribeInstances
- Write: RebootInstances StartInstances StopInstances TerminateInstances
There are additional permissions needed to verify that the role has all the required permissions before being added to a deployment:
- Service: IAM
-
Actions
- Read: SimulatePrincipalPolicy
The following example can be copied and pasted into the JSON field when creating the policy instead of manually selecting each role:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "ec2:DescribeInstances", "ec2:RebootInstances", "ec2:StartInstances", "ec2:StopInstances", "ec2:TerminateInstances", "iam:SimulatePrincipalPolicy" ], "Resource": "*" } ] }
If the user tries to add an AWS role that doesn't have these permissions, Anyware Manager as a Service will still add the role but will not validate that it has the required permissions.
You can now associate a permissions policy to this role.
Service Account Permission Requirements - Azure¶
You need a service account that has adequate permissions and can manage compute instances to power manage a remote workstation in Microsoft Azure with Anyware Manager as a Service. The following roles are required:
- Reader
- Virtual Machine Contributor
For information on how to create a new Client Secret from Azure, see here.
Azure Client Secret
Once you generate the client secret you need to copy it straight away as it will not be available again from Microsoft. If you have an expired client secret you need to delete it and then create a new secret and assign it to that deployment.
Service Account Permission Requirements - GCP¶
You need a service account that has adequate permissions and can manage compute instances to provision a remote workstation in Google Cloud Platform (GCP) with Anyware Manager as a Service.
The table below outlines the default roles that are required for the service account on GCP, and which features they are required for.
Default Roles and Feature Requirements - GCP¶
Default Roles | Workstation Provisioning | Power Management |
---|---|---|
Deployment Manager Editor | Required | — |
Compute Admin | Required | Required |
Cloud KMS Admin | Required | — |
Cloud KMS CryptoKey Encrypter/Decrypter | Required | — |
For GCP the service account requires access to the following APIs:
- Service Usage API
- Cloud Resource Manager API
- Cloud Deployment Manager V2 API
- Cloud Key Management Service (KMS)
- Compute Engine API
Key File Storage
Anyware Manager as a Service does not store the key file provided and only extracts the fields that are entered into the dialog.
The following links have more information on GCP service accounts:
- GCP - Getting Started
- GCP - Access Information
- Managing Service Account Keys
- Enabling GCP API for Projects
Creating a Cloud IAM Custom Role¶
Users can create a single custom IAM role by using the following permissions for Anyware Manager as a Service:
- cloudkms.cryptoKeyVersions.useToDecrypt
- cloudkms.cryptoKeyVersions.useToEncrypt
- cloudkms.cryptoKeys.create
- cloudkms.cryptoKeys.get
- cloudkms.keyRings.create
- cloudkms.keyRings.get
- compute.acceleratorTypes.list
- compute.addresses.create
- compute.addresses.delete
- compute.diskTypes.list
- compute.disks.list
- compute.images.list
- compute.instances.create
- compute.instances.delete
- compute.instances.get
- compute.instances.getGuestAttributes
- compute.instances.osLogin
- compute.instances.reset
- compute.instances.setMetadata
- compute.instances.setServiceAccount
- compute.instances.setTags
- compute.instances.start
- compute.instances.stop
- compute.instances.suspend
- compute.instances.update
- compute.instances.updateNetworkInterface
- compute.instances.use
- compute.machineTypes.list
- compute.networks.create
- compute.networks.list
- compute.regions.list
- compute.subnetworks.list
- compute.zones.get
- compute.zones.list
- deploymentmanager.deployments.create
- deploymentmanager.deployments.delete
- deploymentmanager.deployments.get
- deploymentmanager.resources.list
- resourcemanager.projects.get
Using these permissions you can create a custom IAM role. If you use this single custom role you do not need to use other default roles discussed above. For information how to do this, see Creating and managing custom roles.