Parent topic: Creating IAM Roles
Preparing the System / Creating IAM Roles

Creating the Route 53 IAM Role

AWS Identity & Access Management (IAM) manages credentials for the Cluster Manager and its nodes by assigning IAM roles to them when they are launched. Attaching policies to these roles grant the associated instances permissions such as starting, stopping, and terminating instances in EC2, associating IAM roles with a new instance, or updating records in the Route 53 service.

AWS uses IAM roles and policies to grant permissions to launch EC2 instances and update records in Route 53. The IAM roles for the cluster manager and transfer nodes require you to first configure policies, which are later attached to the role to manage permissions for the role. The following describes how to create an IAM role to grant the Cluster Manager the permissions to access EC2 and Route 53.
Important: If Route 53 is on a separate AWS account from your Cluster Manager, follow the instructions below on the account with Route 53.

This IAM role requires that the following policy has already been configured: atc-route53-policy. For more information about the atc-route53-policy, see Creating the Route 53 IAM Policy.

  1. From the AWS console, go to Security & Identity > Identity & Access Management and select Roles from the Details sidebar.
  2. Click Create New Role.
  3. Name the role atc-route53.
  4. Select Amazon EC2 for the Role Type.
  5. Select the following policy and attach it to the role:
    • atc-route53-policy
  6. Click Next Step, then Create Role.
The AWS Console redirects you to the Roles page. The new atc-route53-policy role appears in the list of roles.

Authorize the atc-manager and atc-node Roles

Authorize the atc-manager and atc-node roles to use the permissions in the atc-route53 role by editing the atc-route53 role's trust relationship.

  1. From the Roles page, select the newly created atc-route53 role and click Edit Trust Relationship.
  2. Edit the policy text. 
    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::your_aws_account_id:role/atc-manager",
                "AWS": "arn:aws:iam::your_aws_account_id:role/atc-node"
            },
            "Action": "sts:AssumeRole"
            "Condition": {
                "StringEquals": {
                "sts:ExternalId": "external_id"
                }
            }
        }
    ]
}

    This policy grants the atc-manager and atc-node roles in the account with the provided ID the right to assume the atc-route53 and use its permissions. If the Cluster Manager is on a separate AWS account, enter the ID of that AWS account.

    The condition with the external_id is optional, but recommended. The external_id is an arbitrary string.

    Here is an example of the final policy, where 123456789012 is the ID of the AWS account running the Cluster Manager:
    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::123456789012:role/atc-manager",
                "AWS": "arn:aws:iam::123456789012:role/atc-node"
            },
            "Action": "sts:AssumeRole"
            "Condition": {
                "StringEquals": {
                "sts:ExternalId": "atc-route53-role"
                }
            }
        }
    ]
}
Parent topic: Creating IAM Roles