Overview of required AWS IAM identities for Turbonomic
Turbonomic connects to your AWS environment through IAM identities. This topic provides guidance on the IAM identities that you need to set up.
Multi-account and single-account targets
You can configure the AWS target in Turbonomic to access multiple accounts or a single account.
-
Multi-account target
In this scenario, an AWS target monitors and optimizes workloads in multiple accounts. This eliminates the need to manually add several targets in the Turbonomic user interface.
For example, your AWS environment might have a management account and five member accounts. You can configure an AWS target to access all of these accounts, or only the management account and several member accounts.
For a multi-account target, you must configure two IAM identities in AWS.
-
An IAM role or IAM user for the management account, depending on your Turbonomic deployment. See the next section in this topic for details.
-
A cross-account IAM role that the AWS target uses to discover existing member accounts. You can enable automatic deployment for the role so that the AWS target automatically discovers new member accounts as they are added to the management account.
-
-
Single-account target
In this scenario, an AWS target monitors and optimizes workloads in a particular account. This account can be a management account or a member account. For example, if you configure a management account, Turbonomic only monitors and optimizes workloads in the management account, but not in member accounts.
For a single-account target, you must configure an IAM role or IAM user for the management account, depending on your Turbonomic deployment. See the next section in this topic for details.
It is possible to configure multiple targets. For example, you can configure a multi-account target to access the management account and all but one member accounts, and a single-account target to access the member account that is not included in the multi-account target. When you configure multiple targets, be sure that no account exists in more than one target. Otherwise, multiple targets will report the same account and you will need to either update or delete targets until only one of them is accessing that account.
For best practices on managing IAM identities, see the AWS documentation.
Required IAM identities for a multi-account target
Refer to the following table for guidance on the IAM identities that you need to set up based on your Turbonomic deployment.
Turbonomic deployment | IAM identities to set up |
---|---|
Deployed on premises using an OVA or VHD image |
|
Deployed and maintained by your Turbonomic representative (also known as Turbonomic SaaS) |
|
Deployed to a properly configured Kubernetes cluster in AWS through Amazon EKS or
Red Hat OpenShift Service on AWS (ROSA) Note:
For these deployments, cluster configurations must support an OIDC provider, webhooks, and role assumption through an annotated service account. |
|
Deployed to Red Hat OpenShift on IBM Cloud |
|
Deployed to Kubernetes or Red Hat OpenShift on other cloud providers |
|
Required IAM identity for a single-account target
Refer to the following table for guidance on the IAM identity that you need to set up based on your Turbonomic deployment.
Turbonomic deployment | IAM identity to set up |
---|---|
Deployed on premises using an OVA or VHD image | IAM user |
Deployed and maintained by your Turbonomic representative (also known as Turbonomic SaaS) | IAM role or IAM user |
Deployed to a properly configured Kubernetes cluster in AWS through Amazon EKS or
Red Hat OpenShift Service on AWS (ROSA) Note:
For these deployments, cluster configurations must support an OIDC provider, webhooks, and role assumption through an annotated service account. |
IAM role or IAM user |
Deployed to Red Hat OpenShift on IBM Cloud | IAM user |
Deployed to Kubernetes or Red Hat OpenShift on other cloud providers | IAM user |