Creating an IAM Role for S3 Access In the Same AWS Account

AWS Identity & Access Management (IAM) manages credentials for the ATC Manager and its nodes by assigning IAM roles to them when they are launched. Attaching policies to these roles grant the associated instances permissions such as starting, stopping, and terminating instances in EC2, updating records in the Route 53 service,or associating IAM roles with a new instance.

IAM Roles are also used to provide ATC Manager access to your S3 buckets. If you are not using S3 cloud storage with Cluster Manager, you can skip these instructions. For more information about accessing S3 cloud storage with the Cluster Manager, see Access Key Overview.

These instructions describe how to create the atc-s3-access-keys role, which uses the atc-s3-policy to grant ATC Manager access to the S3 bucket specified in the policy. You must have already created the atc-s3-policy to create the atc-s3-access-keys role. For more information about creating the policy, see Creating the Custom S3 Access IAM Policy.

If you want to provide access to S3 buckets located in a different AWS account, see Creating an IAM Role for S3 Access to a Separate AWS Account. Otherwise, follow the instructions below to create the atc-s3-access-keys role and attach the atc-s3-policy to the role.

The following instructions describe how to create the S3 Access Key Management IAM role.

  1. From the AWS Console, go to Security & Identity > Identity & Access Management and select Roles from the Details sidebar.
  2. Click Create New Role.
  3. Name the new role atc-s3-access-keys.
  4. Click Select for Amazon EC2 role type.
  5. Attach the a policy to this IAM role to provide access to your S3 bucket. You can either grant your IAM role access to all of your S3 buckets or grant access to selected S3 buckets configured by custom policies:
    • To grant your IAM role access to all of your S3 buckets, select the default AmazonS3FullAccess policy.
    • To grant your IAM role access to specific S3 buckets, select your custom policies such as the atc-s3-policy.
    Click Next Step and then Create Role
    The AWS Console redirects you to the Roles page. The new atc-s3-access-keys role appears in the list of roles.

In addition to creating the atc-s3-access-keys role, you must also configure trust relationships to allow the atc-node role to assume the atc-s3-policy attached to this role. Follow the instructions below to configure the trust relationships of the atc-s3-access-keys.

  1. Click the atc-s3-access-keys role and click the Trust Relationships tab. Click Edit Trust Relationship.
  2. Enter the following policy into the Policy Document field to allow the atc-node role to assume permissions associated with this role. 
    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::aws_account_id:role/atc-node"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}