Creating an IAM Role for S3 Access to a Separate AWS Account

AWS Identity & Access Management (IAM) manages credentials for the ATC Manager and its nodes by assigning IAM roles to them when they are launched. Attaching policies to these roles grant the associated instances permissions such as starting, stopping, and terminating instances in EC2, updating records in the Route 53 service,or associating IAM roles with a new instance.

IAM Roles are also used to provide ATC Manager access to your S3 buckets. If you are not using S3 cloud storage with Cluster Manager, you can skip these instructions. For more information about accessing S3 cloud storage with the Cluster Manager, see Access Key Overview.

The atc-s3-access-keys role uses the atc-s3-policy to grant the Cluster Manager access to the S3 bucket specified in the policy. You must have already created the atc-s3-policy create the atc-s3-access-keys role. For more information about creating the policy, see Creating the Custom S3 Access IAM Policy.

If your cluster and your S3 buckets are located in separate accounts, the atc-node role in the first account needs an assume-role permission for the atc-s3-access-keys role in the second account.
Note: In the following instructions and examples, the first account with the cluster is referred to as the "cluster manager account" and the second account with the S3 buckets is referred to as the "S3 account".
This topic covers the following steps:
  1. Create the atc-s3-assume-role policy in the cluster manager account.
  2. Attach the atc-s3-assume-role policy to the atc-node role in the cluster manager account.
  3. Enhance the trust relationship policy of the atc-s3-access-keys role in the S3 account with an external ID.

The following steps cover how to create the atc-s3-assume-role policy in the cluster manager account.

  1. Log into the AWS Console on the cluster manager account. Go to Security & Identity > Identity & Access Management and select Policies from the Details sidebar.
  2. Click Create Policy and Select the Create Your Own Policy option.
  3. Name the new policy atc-s3-assume-role.
  4. Enter the following policy into the Policy Document field to grant the cluster manager account access to your S3 bucket in the S3 account. 
    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "sts:AssumeRole",
      "Resource": "arn:aws:s3::s3_account_id/atc-s3-access-keys"
    }
  ]
}
  5. Click Validate Policy to check for issues.
  6. Click Create Policy.

The following steps cover how to attach the atc-s3-assume-role policy to the atc-node role in the cluster manager account.

  1. Select Roles from the Details sidebar. Click the atc-node role and click Attach Policy under the Permissions tab.
  2. Select the atc-s3-assume-role policy and click Attach Policy.

The following steps cover how to enhance the trust relationship policy of the atc-s3-access-keys role in the S3 account with an external ID.

  1. Log into the AWS Console on the S3 account. Go to Security & Identity > Identity & Access Management and select Roles from the Details sidebar.
  2. Click the atc-s3-access-keys role and click the Trust Relationships tab. Click Edit Trust Relationship.
  3. Enter the following policy into the Policy Document field to allow the atc-node role in the cluster manager account to assume permissions associated with this role. 
    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::cluster_manager_account_id:role/atc-node"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "external_id"
        }
      }
    }
  ]
}
    The external_id can be any string and it is used for creating access keys in the Cluster Manager web interface.
    Tip: While the external ID is optional, Aspera highly recommendeds it for extra security. For more information, see the "How to Use an External ID When Granting Access to Your AWS Resources to a Third Party" help page at http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html on the AWS website.