Creating the atc-node IAM Role

AWS uses IAM roles and policies to grant permissions to launch EC2 instances and update records in Route 53. The IAM roles for the cluster manager and transfer nodes require you to first configure policies, which are later attached to the role to manage permissions for the role. The following describes how to create an IAM role to grant transfer nodes the permissions to access EC2 and Route 53.

This IAM role requires that the following policies have already been configured:

atc-route53-policy
atc-s3-full-access-policy
atc-ec2-policy
atc-pass-node-role-policy

Go to IAM. Select Roles from the Details sidebar.
Click Create New Role.
Name the role "atc-node".
Click Select for Amazon EC2.
Select the following policies and attach them to the role:
- atc-route53-policy
- atc-s3-full-access
- atc-ec2-policy
- atc-pass-node-role-policy
Click Next Step, then Create Role.

Specify that the atc-node role can launch other instances with the atc-node itself.

Click the newly created role, select the Trust Relationship tab, and click Edit Trust Relationship. Add the following line to the policy:

"AWS": "arn:aws:iam::YOUR_AWS_ACCOUNT_ID:role/atc-node"

Here is an example of the final policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Principal": {
                "Service": "ec2.amazonaws.com",
                "AWS": "arn:aws:iam::YOUR_AWS_ACCOUNT_ID:role/atc-node"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}