There are several AWS configuration options that facilitate particular customer configurations, such as role based authentication.

Configure a role based cloud account for use with AWS

You can configure role-baed access to an AWS cloud account using the following procedure. VMware provides a helper JSON to facilitate this procedure that is displayed when you click Create IAM Role on the AWS create cloud account page. The JSON helper includes instructions to create and configure an IAM role for VMware Aria Automation.
Note: The helper JSON helps you to configure access to basic functionality such as machine creation. If you wamt to run more complex tasks using ABX extensibility actions, you must assign more permissions to the AWS role in the AWS portal.

To set up role based permissions for AWS when using the on-premise version of VMware Aria Automation, you must create a master cloud account for trusted identity authentication. When you create a new role-based cloud account, the external ID -- which is the same as the orgId for the organization – will be populated and you can copy it and use it when you set up the role in the AWS portal. After the role is configured, you can create the AWS cloud account using the ARN ID from the AWS role that you created.

  1. Create a user account in the AWS portal with sts:AssumeRole permissions.
  2. Create the master cloud account in Automation Assembler using accessKey/secretKey , For the Authentication Method, you must select the radio button for Trusted Identity for role-based authentication.
  3. In the AWS portal, create a policy and paste in the snippet from the helper JSON.
  4. In VMware Aria Automation, open the cloud account wizard to create a role-based AWS cloud account. The External ID field is populated, and you can copy the ID.
  5. In the AWS portal, create the AWS role with trust on the AWS master cloud account that you created in VMware Aria Automation. You can get the externalId from the role-based cloud account that you created in Automation Assembler, and then paste it into the External ID field in the AWS portal.
  6. Search for the vRA Access Policy in the AWS portal, then create the role that you want to use for AWS cloud account access on this policy.
  7. Then copy the ARN ID that you will need when you create the cloud account.
  8. Create the AWS cloud account in Automation Assembler using the ARN ID.