Choose account authentication method

Choose whether to use an IAM user or federated account to access AWS.

Before you begin

For either of the authentication methods that you choose, the user's role that is used for LSF configuration must have at least the following AWS permissions granted to that user for the minimal cloud bursting to AWS:

ec2:DescribeInstances
ec2:DescribeImages
ec2:DescribeKeyPairs
ec2:DescribeSecurityGroups
ec2:DescribeAvailabilityZones
ec2:RunInstances
ec2:TerminateInstances
ec2:StopInstances
ec2:StartInstances"

Note: Some advanced configurations require additional policies. The iam:PassRole is needed if the instance profile feature is used.

About this task

Select one of the following account authentication methods to access AWS.

Procedure

Create an IAM access key and credential files.

To create an access key and credential files, log in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/. IAM allows secure access to AWS resources for users and also allows shared access to an AWS account. If you create an access key for each user using the web GUI, you must download the credentials. A credentials.csv file is generated.

Tip: The access key ID and secret access key in the credentials.csv file is needed in the aws_enable.sh script or can be added directly to the LSF credentials file.
Use federated accounts for AWS.
A wrapper script is required for this authentication method.

Federated users are external identities that are granted temporary credentials with secure access to resources in AWS without requiring creation of IAM users. Users are authenticated outside of AWS (for example, through Windows Active Directory). LSF resource connector integrates with federated accounts through a user defined script that requires specific format for the output.

The roles for the user must have the required policies and permissions attached in AWS.

For more information, refer to the following Amazon documentation:
- https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers.html
  Follow the instructions in the section, Configuring AWS access with federated accounts to create the script. The location of the script will need to be set as the value of AWS_FED_CREDENTIAL_SCRIPT. The AWS resource connector can be enabled first with IAM and switched later to federated accounts after through the awsprov_config.json file.
- https://aws.amazon.com/identity/federation/.
Note: The aws_enable.sh script must be executed on the local LSF management host. The local management host is the machine that initiates the AWS EC2 instances.
Use the management host instance profile credentials.

When the LSF management host and the resource connector are deployed in an AWS EC2 instance with an appropriate instance profile, the resource connector uses the instance profile's credentials to access the AWS API.

This authentication method requires that the awsprov_config.json configuration file does not contain the AWS_CREDENTIAL_FILE and AWS_CREDENTIAL_SCRIPT parameters.

For more information about using the management host instance profile credentials, see the Amazon documentation: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2.html.