Turbonomic SaaS IAM Role Setup

Document created by Ben Yemini Expert on Feb 27, 2020Last modified by Ben Yemini Expert on Mar 7, 2020
Version 5Show Document
  • View in full screen mode

With the release of our new SaaS offering based on our 7.21.1 release, we've modified the steps to target AWS accounts using IAM Roles. Below is a summary as well as step by step instructions. The Identity Provide and IAM Role need to be created in every AWS account you would like to add as a target to Turbonomic. 



1. Create Identity Provider

      Create an OIDC provider in the account using the following details:

      URL:  https://oidc.eks.us-east-1.amazonaws.com/id/0D5AD0CE5E60A15A7B51B2187357542B

      CA Thumbprint:  9e99a48a9960b14926bb7f3b02e22da2b0ab7280

      Audience:  sts.amazonaws.com


2. Create IAM Role

Create a new role and attach the policies 

Role Name:  TurbonomicSaaSRole

Attach the following policies: 

   AmazonEC2ReadOnlyAccess (Use EC2FullAccess for action automation) 
        AmazonRDSReadOnlyAccess (Use RDSFullAccess for future action automation, currently not supported) 
         AmazonS3ReadOnlyAccess (only required in Master (payer) account for accessing the cost and usage report) 


3. Attach Trust Relationship to the IAM Role 


   See below.

  "Version": "2012-10-17",
  "Statement": [
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::<YOUR_ACCOUNT_NUMBER>:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/0D5AD0CE5E60A15A7B51B2187357542B"
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "oidc.eks.us-east-1.amazonaws.com/id/0D5AD0CE5E60A15A7B51B2187357542B:sub": "system:serviceaccount:<TURBONOMIC_INSTANCE_ID>:default"


  • Replace <YOUR_ACCOUNT_NUMBER> with the AWS account number this trust policy is begin created in.
  • Replace <TURBONOMIC_INSTANCE_ID> with the ID of your Turbonomic SaaS instance. This will be provided to you by Turbonomic. 


4. Add Target in Turbonomic 

        You will paste the IAM Role ARN in the target configuration setup. 


Step by Step Instructions: 


1. Create Identity Provider

  1. Navigate to IAM in the AWS console for your AWS Organization-level account
  2. Open Identity Providers from left menu
  3. Select Create Provider
  4. Select/enter the following:
    Provider Type: OpenID Connect
    Provider URL: https://oidc.eks.us-east-1.amazonaws.com/id/0D5AD0CE5E60A15A7B51B2187357542B
    Audience: sts.amazonaws.com
  5. Select Next Step
  6. On the Verify Provider Information screen, confirm the CA Thumbprint is 9e99a48a9960b14926bb7f3b02e22da2b0ab7280
  7. Select Create


B. Create IAM Role

  1. Navigate to the Roles option on the left-menu.
  2. Select Create Role
  3. When asked to select the type of trusted entity, select Web Identity
  4. On the Identity provider pulldown, select the eks.us-east-1.amazonaws.com provider that you just created
  5. In the Audience field, select sts.amazonaws.com
  6. Click Next
  7. Add the following policies: 
    AmazonEC2ReadOnlyAccess (Use EC2FullAccess for action automation) 
    AmazonRDSReadOnlyAccess (Use RDSFullAccess for future action automation, currently not supported) 
    AmazonS3ReadOnlyAccess (only required in Master (payer) account for accessing the cost and usage report) 
  8. Click Next
  9. Add Tags if required by your organizational IT policies, otherwise just click Next
  10. On the Review screen, enter the Role Name: TurbonomicSaaSRole
  11. Enter a Role Description. For example: Role to allow the Turbonomic SaaS service access to this account.
  12. Select the Create button
  13. On the list of roles, find the TurbonomicSaaSRole you just created and click the name of the role


C. Attach the Trust Relationship to the Role 


  1. Select the Role you just created TurbonomicSaaSRole
  2. Click on Trust Relationship under Role Summary
  3. Click Trust Relationship
  4. Paste the relationship from the document (above), making the appropriate substitutions for Account Number and Turbonomic Instance ID and Click Update Trust Relationship (note, the Turbonomic Instance ID ensures only that instance can access that role)
  5. Copy the Role ARN (top of the screen), you will need it to add the AWS target in Turbonomic


D. Add Target in Turbonomic 

  1. Log in to the Turbonomic SaaS console
  2. Navigate to SettingsàTarget Configuration
  3. Click the New Target button
  4. Select Cloud Management
  5. Select AWS
  6. On the Add AWS Target screen enter the following:
    Address: enter any text string you would like to identify the account being targeted
    IAM Role ARN: Paste the Role ARN you copied earlier
  7. Cost and usage report fields: Enter this information, if configured in this account (see this article for more details). This should only be added for your Master (payer) account.
  8. Click the Add button
  9. Confirm the new target is added with a successful result
1 person found this helpful