...
If you do not want to login with a user who has an Administrator Access policy, you will need to provide several login details during the activation of IncrediBuild Cloud. These login details are included in a new customized role you have to create for this procedure. The login details are:
Role ARN – the Role Amazon Resource Name (ARN) that is generated automatically upon the creation of the new role.
Note: For more information on Amazon Resource Names (ARNs), see AWS documentation: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.htmlExternal ID – the External ID you will enter as a condition into the Trust Relationships settings of the new role.
Note: For more information on External IDs, see AWS documentation: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html
To generate these login details, you need to perform the following:
Create a customized policy for low permissions.
Create a customized role for low permissions, attach the customized policy to it, and configure the Trusted Relationships settings of this role.
Important! These procedures can be done only by an IAM user who has an Administrator Access policy and a Programmatic Access type.
Step 1 - Creating a Customized AWS Policy for Lower Permissions
The first step in the generation of login details for activating IncrediBuild Cloud with permissions lower than Administrator Access, is the creation of a customized policy.
> To create a customized policy for lower permissions:
On AWS Management Console, enter in the Find Services box: IAM:
On the IAM page, click the Policies option:
On the Policies page, click the Create policy button:
On the first Create policy page, click the Choose a service option:
On the Service search box, enter: EC2. Then, click the EC2 option:
On the Actions section, select the All EC2 actions check box:
On the Resources section, click the Resources caption:
On the open Resources section, select the All resources radio button:
At the bottom of this page, click the Add additional permissions option:
On the same page on the Select a service section, enter on the Service search box: Service Quotas. Then, click the Service Quotas option:
On the same Service Quotas section, on the Actions sub-section, select for the Access level setting the Read check box:
Click on Add additional permissions
On the same page on the Select a service section, enter on the Service search box: IAM. Then, click the IAM option:
in the textbox Filter actions, insert CreateServiceLinkedRole and select it
Under it click on Resources, select All resources
Uner it, click on Request conditions, Open and click on Add condition
Fill the following fields as shown and click Add
On the same page, click the Review policy button:
On the Create Policy page, enter in the Name box a name for the new policy:
Notes:
- You should remember the name of this new policy. On the next stage, you will need to attach this policy to the customized role you will create for logging into IncrediBuild.
- You can also add a description to the new policy.On the Create Policy page, click the Create policy button:
You return to the Policies page. A notification message appears, informing you of the creation of your new policy:
After you created the new policy, the next step is creating a customized role, as described in the following section.
Step 2 - Creating a Customized AWS Role for Lower Permissions
The second step in the generation of login details for activating IncrediBuild Cloud with permissions lower than Administrator Access, is the creation of a customized role.
> To create a customized role for lower permissions:
Open the Roles page, by clicking the Roles option:
On the Roles page, click the Create role button:
On the first Create role page - Select type of trusted entity section, select AWS service. On the Choose a use case section, select EC2, and then click the Next: Permissions button:
On the second Create role page, use the Filter policies box to find the customized policy you previously created. Then, select its check box and click the Next: Tags button:
[Optional] On the third Create role page, you can add tags to the new role you are creating. Then, click the Next: Review button:
On the fourth Create role page, enter a name for the new role in the Role name box. Then, click the Create role button to complete the creation of your new role:
You return to the Roles page. A notification message appears, informing you of the creation of your new role:
On the Roles page, locate the newly created role. Then, select its check box and click it to open it:
On the Summary page of the new role, click the Trust relationships tab. Then, click the Edit trust relationship button:
On the Edit Trust Relationship page, delete the existing content of the Policy Document pane:
On the Policy Document pane, copy and paste the following code snippet:
Code Block { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::827268715074:user/incrediCloud" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "sts:ExternalId": "<New_String_for_Your_External_ID>" } } } ] }
The Policy Document pane should look as follows:
On the code snippet you pasted, enter a new string as the value of the
sts:ExternalId
parameter. This string will serve as your External ID, and you will need to provide it to IncrediBuild during the activation of IncrediBuild Cloud solution. IncrediBuild will use it to manage resources on your behalf.
Note: It is recommended to create a complicated string for the External ID, for security reasons. However, you should be aware that AWS does not treat the external ID as a secret. The external ID for a role can be seen by anyone with a permission to view that role.After you entered your unique External ID to the Policy Document pane, click the Update Trust Policy button.
You return to the Summary page of the role you created. In this Summary page you can find the required login details for activating IncrediBuild Cloud with lower permissions:
You have now completed the creation of all the necessary login details for activating IncrediBuild Cloud solution, and you can start the activation procedure.
...