How do I use Amazon IAM with RightScale?
Overview
What is AWS Identity and Access Management (IAM)?
IAM is a feature specific to Amazon Web Services that provides a way of securely controlling access to your AWS services and resources. Simply create users or groups and assign them the desired access permissions. For example, you might want to restrict who can launch and terminate EC2 instances. To learn more, see AWS Identity and Access Management (IAM).
Can I use IAM with RightScale?
Yes. Since RightScale maintains its own database of users for its platform, you cannot enforce individual IAM users and permissions within the RightScale Dashboard itself (assuming those same users have access to log in to the related RightScale account).
Typically, most users use their account's security credentials when they add AWS to a RightScale account, which effectively grants administrator level access to the RightScale platform. Administrators will then leverage RightScale's User Role Privileges to further enforce access permissions on a per-user basis. However, if you do not want to grant the RightScale platform administrative access to your AWS account and thereby restrict what actions can be performed from the RightScale Dashboard/API, you can create a user profile in IAM and associate its security credentials with a RightScale account for more granular access control. For example, you may not want users of your RightScale account to be able to create Amazon S3 buckets or change ACLs of individual objects. In such cases, you can create a 'RightScale' user profile and create a custom user policy that doesn't permit the use of Amazon's S3 object storage service. Once that 'RightScale' user's AWS security credentials are associated with a RightScale account, user functionality within the RightScale Dashboard/API will reflect the new user policy that's being used, so some functionality within the RightScale Dashboard/API may no longer be accessible.
Will users in IAM have the same permissions in RightScale?
No, not necessarily. In AWS, each user defined in the IAM service will have a unique set of AWS security credentials (Access Key ID and Secret Access Key) as well as a User Policy that's designed to control what that user can do inside the AWS Management Console. However, in the RightScale Cloud Management Dashboard/API, a user's ability to manage the AWS account's resources and services is defined by which AWS security credentials are associated with the RightScale account. See Sign up for Amazon Web Services (AWS). Therefore, if a user has access to log in to both the AWS Management Console and its associated RightScale account and the security credentials either match or have a user policy that has the same set of permissions, a RightScale user may be able to perform the same functions in both user interfaces. Of course, another factor that must also be taken into consideration is what User Role Privileges the user has been granted in the RightScale account, which may further restrict what that user can do inside the RightScale Dashboard/API even if the RightScale account itself has the same level of access as their user policy. For example, a RightScale user still needs 'actor' user permissions in a RightScale account in order to launch and terminate instances from the RightScale Dashboard/API.
How do I connect my AWS Account to RightScale using IAM?
Perhaps you're currently using IAM to manage your AWS account's resources and services and wish to grant RightScale access to your account by using an IAM user instead of using your account's default security credentials. (e.g. AWS Access Key ID and AWS Secret Access Key)
Follow the steps below to create a user profile in IAM that's specifically designed for use by the RightScale platform to access and manage your account.
- Log in to the AWS Management Console (https://aws.amazon.com)
- Go to the IAM section.
- Go to the Users section in the left-hand navigation pane and click Create New Users.
- Create a new user profile that the RightScale platform will use to access and manage your AWS account's resources and services. (e.g. RightScale) Make sure you auto-generate an access key because you will need it to add/update the AWS credentials associated with your RightScale account.
- Save the user's security credentials.
- Access Key ID
- Secret Access Key
- Close the page and select the newly created user (e.g. RightScale) by clicking on the name (not the checkbox).
- The next step is to define the User Policy (i.e. user permissions) that will be granted to the new (RightScale) user. Both options outlined below are safe and secure. Since this User Policy will affect how the RightScale platform interacts with your AWS account's services and resources, it's important to use a policy that has the minimum set of permissions that's required by RightScale. Both options below will ensure full functionality within the RightScale cloud management platform and related services such as RightScale's Cloud Analytics.
- Option 1 (Recommended) - Grant Administrator Access to RightScale, which is essentially the same level of access that would be granted to RightScale if you were not using IAM and simply used your AWS account's Access Key ID and Secret Access Key. To do this, click on the "Attach Policy" button, then select "AdministratorAccess" and click Attach Policy.
- Option 2 - Create an inline policy. If you select this option, click to expand the Inline Policies section, and click through to create one. Then select Custom Policy. Provide a useful name for the custom user policy (e.g. RightScale_Connection) and start by copying and pasting the provided source code below into the "Policy Document" text field. The following user policy provides the minimum set of permissions required to support full functionality within RightScale's Cloud Management and Cloud Analytics dashboards. If you want to create a user policy that only supports RightScale Cloud Analytics and not cloud management, please use the "ReadOnlyAccess" policy in Option 1.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "cloudfront:*",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "s3:*",
"Effect": "Allow",
"Resource": "arn:aws:s3:::*"
},
{
"Action": "elasticloadbalancing:*",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "sqs:*",
"Effect": "Allow",
"Resource": "arn:aws:sqs:*"
},
{
"Action": "rds:*",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "sns:*",
"Effect": "Allow",
"Resource": "arn:aws:sns:*"
},
{
"Action": "ec2:*",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "cloudformation:*",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "directconnect:*",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "route53:*",
"Effect": "Allow",
"Resource": "arn:aws:route53:::*"
},
{
"Action": [
"iam:DeleteServerCertificate",
"iam:GetServerCertificate",
"iam:ListServerCertificates",
"iam:UpdateServerCertificate",
"iam:UploadServerCertificate"
],
"Effect": "Allow",
"Resource": "arn:aws:iam::*:server-certificate/*"
}
]
}
- Once you've made your User Policy selection and defined its set of permissions, click Apply Policy to save and apply your changes.
- Congratulations! You just created an IAM user with a unique set of security credentials and an appropriate user policy. The next step is to use this information to either add the AWS cloud account to your RightScale account or update a previously configured RightScale account to use the 'RightScale' IAM user profile instead of your AWS account's default (admin) security credentials. You will need the following information to add/update your RightScale account.
- Access Key ID and Secret Access Key (of the new 'RightScale' user you just created)
- AWS Account Number (Tip: You can quickly retrieve the 12-digit ID by clicking the Summary tab. See screenshot.)
- You are now ready to Add AWS Credentials to RightScale.
- © Copyright 2015 RightScale Technical Support