Creating an IAM Role manually
Log in to AWS Management Console.
Move to "Service"-> "IAM"-> "Roles".
Push the "Create Role" button and move to "Another AWS Account" from the Create Role screen.
- Enter AppKeeper account ID “398878680527” in “Account”.
- Check the option "Require External ID" and enter the external ID generated during tenant creation. For more information, refer to the Quick Start Guide "Creating an IAM Role".
- Do not check the option "Require MFA".
- Click the "Next: Permissions" button to move to the next screen.
On the "Attach Permissions Policies" screen, refer to the next section and select a policy.
* If you cannot use the following AWS management policies due to security requirements, etc., refer to "Using policies managed by User".
Using policies managed by AWS
- AmazonSSMAutomationRole
- AmazonEC2ReadOnlyAccess
Select 2 policies above.
* If you use Fault log function, it is necessary to add a separate policy.
Please see the articles below and add the required policies.
IAM policy required for the Fault Log
Using policies managed by User
Click the "Create Policy" button to move to the create policy screen.
From the policy creation screen, set the permissions for the following "service" "actions" "resources".
Service
- EC2
Actions
- StartInstance
- StopInstances
- DescribeInstances
- DescribeInstanceStatus
- DescribeRegions
Resources
- Check the "All Resources".
Service
- Systems Manager
Actions
- SendCommand
- GetAutomationExecution
- StartAutomationExecution
- DescribeInstanceInformation
- GetCommandInvocation
Resources
- Check the "All Resources".
Exsample of IAM Policy (JSON)
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssm:SendCommand",
"ssm:GetAutomationExecution",
"ssm:GetCommandInvocation",
"ssm:StartAutomationExecution",
"ssm:DescribeInstanceInformation",
"ec2:DescribeInstances",
"ec2:DescribeRegions",
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:DescribeInstanceStatus"
],
"Resource": "*"
}
]
}
* If you use Fault log function, it is necessary to add a separate policy.
Please see the articles below and add the required policies.
IAM policy required for the Fault Log
Comments
0 comments
Article is closed for comments.