Creating an IAM Role for S3 Access to a Separate AWS Account
AWS Identity & Access Management (IAM) manages credentials for the ATC Manager and its nodes by assigning IAM roles to them when they are launched. Attaching policies to these roles grant the associated instances permissions such as starting, stopping, and terminating instances in EC2, updating records in the Route 53 service,or associating IAM roles with a new instance.
IAM Roles are also used to provide ATC Manager access to your S3 buckets. If you are not using S3 cloud storage with Cluster Manager, you can skip these instructions. For more information about accessing S3 cloud storage with the Cluster Manager, see Access Key Overview.
The atc-s3-access-keys role uses the atc-s3-policy to grant the Cluster Manager access to the S3 bucket specified in the policy. You must have already created the atc-s3-policy create the atc-s3-access-keys role. For more information about creating the policy, see Creating the Custom S3 Access IAM Policy.
- Create the atc-s3-assume-role policy in the cluster manager account.
- Attach the atc-s3-assume-role policy to the atc-node role in the cluster manager account.
- Enhance the trust relationship policy of the atc-s3-access-keys role in the S3 account with an external ID.
The following steps cover how to create the atc-s3-assume-role policy in the cluster manager account.
The following steps cover how to attach the atc-s3-assume-role policy to the atc-node role in the cluster manager account.
The following steps cover how to enhance the trust relationship policy of the atc-s3-access-keys role in the S3 account with an external ID.