This summary documents how a Turbonomic instance can access multiple AWS targets using a role based access rather than doing so through access keys. This offers a more manageable and scalable option that does not require on-going maintenance (e.g. considering rotated keys) and follows AWS best practices. Configuring a target account in this manner is supported by Turbonomic.
The document assumes the instance has direct access to the S3 billing bucket with permissions configured appropriately and is available in the instances account.
1 - Familiarize yourself with the concepts as explained by AWS.
In summary, we will create IAM policies and roles in at least two accounts, one is the “trusted” account in which the AWS instance is running and one or more “trusting” accounts as targets.
The specific manner in which this is accomplished may or may not match how customers work with IAM roles today, but the concepts and steps can easily be adapted to support custom policies and groups as appropriate.
Process in high level:
- Create a Role on the Trusting Account (T2)
- Create an STS Assume Instance Role on Trusted Account (T1) and assign it to Turbonomic server running under the account
- Update the Role on the Trusting account and update it with the specific ARN outlined
- In Turbonomic UI add an AWS Target using the ARN of the role created in step 1
Preparation: Open the AWS console in two separate windows.
You’ll need to be signed in to the trusted account hosting the AWS instance and a target account. In this example, we have two accounts
- T1 (54545454545) which is the trusted account in which the Turbonomic instance will be running
- T2 (777777777777) the trusting account which will be used as a target in Turbonomic
Step 1: Create a Role on the Trusting Account (T2)
In the trusting account (T2), create a role (from Another AWS Account) that provides sufficient access for the Turbonomic instance to access managed entities. This will include read-only or read-write access for EC2, RDS, and S3.
Name the Role as TurboXAcctForDev, for example.
Make a note of the Role ARN, it will be needed when you add this AWS Account to Turbonomic (Step 4).
Step 2: Create an STS Assume Instance Role on Trusted Account (T1)
In the trusted account (T1), in IAM, create a policy to allow STS Assume Role Permissions.
- Service: STS
- Actions: Assume Role
- Resources: This permission can be granted to all entities or may be locked down to a specific role in the trusting account (you will need to specify the T1 Role ARN or select ANY (less secure))
Save the policy and give it any name you wish
Or if using the specific ARN of the role from T1, TurboXAcctForDev (yours account # differ):
Next, you will need to attach the policy to an EC2 Instance Role (create a new one if you don't) and attach this STS Assume Role Policy. In the below example, we created a role called 'TurboRole' and assigned the needed policy:
Lastly, Access the EC2 console (on the Trusted account - T1), and assign the role with the STS Assume Role permissions to the Turbonomic Server running under the account:
While in EC2, Console, make a note of the Turbonomic Instance ID, you will need it for the next step.
Step 3: Update the Role on the Trusting account with the specific ARN
In the trusting account console (T2), update the previously created role (TurboXAcctForDev) to establish a trust relationship with the Turbo instance and the role it is using.
In IAM, locate the role (i.e. TurboXAcctForDev), click on “Trust Relationship” and click on "Edit trust relationship". In the JSON window you will need to replace the existing AWS Principal ARN with the below ARN (the sections in red must be updated with yours):
In the below example image, we updated the ARN with:
- T1 Account ID = (454545454545)
- Turbo_InstanceRole_name = (TurboFullAccess)
- Turbo_Instance_Id = (i-07b75b4f993e0f08e)
It should look similar to the window below once complete
Step4: In Turbonomic UI add an AWS Target using the ARN of the role created in step 1
Open the Turbonomic instance and add a new AWS target entering the following values:
- ADDRESS: Any unique identifier
- ACCESS KEY: Any value, this is not used but required
- SECRET ACCCESS KEY: Any value, this is not used but required
- IAM ROLE ARN: The full ARN of the role created in step 1 (e.g. arn:aws:iam::7777777777:role/TurboXAcctForDev)