Setting up an AWS IAM role for SaaS deployments

The instructions in this topic apply only to SaaS instances deployed to AWS. For assistance on legacy deployments (such as Google Cloud), contact your Turbonomic representative.

If you use a Turbonomic SaaS server to manage your cloud workloads, you can set up an IAM role that Turbonomic uses to connect to one of the following accounts:

  • Management account for a multi-account AWS target

    If you want an AWS target in Turbonomic to manage multiple accounts, follow the instructions in this topic to set up an IAM role for the management account.

    Note:

    If you prefer to set up an IAM user instead of an IAM role, skip this topic and follow the instructions in this topic.

    For the member accounts, you need to set up another IAM role called cross-account IAM role.

  • Management or member account for a single-account AWS target

    If you want an AWS target in Turbonomic to manage only a single account (either a management or member account), follow the instructions in this topic to set up an IAM role for the account.

    Note:

    If you prefer to set up an IAM user instead of an IAM role, skip this topic and follow the instructions in this topic.

Prerequisites

Record the location of your Turbonomic SaaS server and the corresponding SaaS URL. You will need this information when you create an OIDC Identity Provider and modify the trust policy.

SaaS server location SaaS URL naming convention
AWS US xxxxxx.customer.turbonomic.ibmappdomain.cloud
AWS EU (Frankfurt) xxxxxx.euc1.turbonomic.ibmappdomain.cloud
AWS UK (London) xxxxxx.euw2.turbonomic.ibmappdomain.cloud
AWS AP (Sydney) xxxxxx.apse2.turbonomic.ibmappdomain.cloud

Task overview

To set up an IAM role, perform the following tasks in the AWS Management Console:

  1. Create IAM policies that specify the permissions that Turbonomic needs to connect to AWS.

  2. Create an OpenID Connect (OIDC) Identity Provider.

  3. Create an IAM role.

  4. Modify the trust policy.

Creating IAM policies

  1. Sign in to the AWS Management Console and open the IAM console.

    https://console.aws.amazon.com/iam/

  2. In the navigation pane , choose Policies.

  3. Choose Create policy.

  4. In the Policy editor section, choose JSON.

  5. Download the JSON file that contains the Turbonomic minimum permissions and then copy the permissions to the JSON field.

    The JSON file that you need to download depends on the account that the AWS target manages (see the introduction in this topic for more information), and the operations that are allowed on the workloads in the given account. Choose one of the following JSON files to download.

    Account Turbonomic operations Download link
    Management account for a multi-account AWS target Monitor workloads and automatically execute actions for the workloads Minimum permissions
    Management account for a multi-account AWS target Only monitor workloads. Actions for the workloads are executed in AWS. Minimum permissions
    Management or member account for a single-account AWS target Monitor workloads and automatically execute actions for the workloads Minimum permissions
    Management or member account for a single-account AWS target Only monitor workloads. Actions for the workloads are executed in AWS. Minimum permissions

    To retrieve billing data in your data export, use the minimum permissions for billing data monitoring.

  6. Resolve any security warnings, errors, or general warnings generated during policy validation, and then choose Next.

  7. In the Review and create page, type a Policy Name and a Description (optional) for the policy that you are creating.

  8. Choose Create policy.

Creating an OpenID Connect (OIDC) identity provider

  1. In the navigation pane of the IAM console, choose Identity providers, and then choose Add provider.

  2. For Configure provider, choose OpenID Connect.

  3. For Provider URL, specify the URL based on the location of your Turbonomic SaaS server.

    SaaS server location OIDC provider URL
    AWS US (East) - default location https://oidc.op1.openshiftapps.com/2f785sojlpb85i7402pk3qogugim5nfb
    AWS US (West 2) https://oidc.op1.openshiftapps.com/2c51blsaqa9gkjt0o9rt11mle8mmropu
    AWS EU (Frankfurt) https://rh-oidc.s3.us-east-1.amazonaws.com/23e3sd27sju1hoou6ohfs68vbno607tr
    AWS UK (London) https://rh-oidc.s3.us-east-1.amazonaws.com/23ne21h005qjl3n33d8dui5dlrmv2tmg
    AWS AP (Sydney) https://rh-oidc.s3.us-east-1.amazonaws.com/24jrf12m5dj7ljlfb4ta2frhrcoadm26
  4. Choose Get thumbprint to verify the server certificate of your identity provider (IdP).

  5. For Audience, select sts.amazonaws.com.

  6. Verify the information that you provided and then select Add provider.

Creating an IAM role

Create the IAM role in every AWS account that Turbonomic will manage.

  1. In the navigation pane of the IAM console, choose Roles and then choose Create role.

  2. For role type, choose Web Identity.

  3. For Identity provider, select the identity provider that you created in the previous task.

  4. For Audience, choose sts.amazonaws.com.

  5. Review your web identity information and then choose Next.

  6. Select the IAM policies that you created in a previous task and then choose Next.

  7. For Role name, specify a role name. Role names must be unique within your AWS account and are case insensitive.

  8. Review the role and then choose Create role.

  9. Record the ARN for the role. You will need this information later when you add an AWS target in the Turbonomic user interface.

Modifying the trust policy

  1. In the navigation pane of the IAM console, choose Roles.

  2. In the list of roles in your account, choose the name of the role that you want to modify.

  3. Choose the Trust relationships tab, and then choose Edit trust policy.

  4. Go to line 12 and update the following information:

    • Replace aud with sub.

    • Replace sts.amazon.aws.com with system:serviceaccount:<TENANT_ID>:<TENANT_SVC_ACCOUNT>.

    Where:

    • <TENANT_ID> is your tenant ID, which is the subdomain for your Turbonomic SaaS URL.

      For example <Tenant_ID>.customer.turbonomic.ibmappdomain.cloud

    • <TENANT_SVC_ACCOUNT> is:

      <Tenant_ID>-sa

    The following is an example of how the IAM role trust relationship should look like:

    {
                "Version": "2012-10-17",
                "Statement": [
                {
                "Effect": "Allow",
                "Principal": {
                "Federated": "<PROVIDER_URL>"
                },
                "Action": "sts:AssumeRoleWithWebIdentity",
                "Condition": {
                "StringEquals": {
                "<PROVIDER_URL>:sub": "system:serviceaccount:<TENANT_ID>:<TENANT_SVC_ACCOUNT>"
                }
                }
                }
                ]
                } 
  5. Choose Update policy.

Next step

If the IAM role that you just set up is for:

  • The management account in a multi-account target, set up a cross-account IAM role for the member accounts. For details see this topic.

  • A management or member account in a single-account target, you do not need to set up a cross-account IAM role. The next step is to set up a data export for use with the AWS Billing target. For details, see this topic.