This section explains the steps to setup a Prod-Xacc-Access in the Prod AWS account.

Prerequisites

AWS accounts require access to AWS resources or APIs. In this example, the Avi Load Balancer Controller is hosted in the IT account (AWS account id – 123456789012) and the Avi Load Balancer Service Engine cloud provides data path services in the Prod account (AWS account id – 112233445566). Use the account IDs and resource ARNs that are applicable to your environment, while following this guide. Cross-account setup is explained in Delegate Access Across AWS Accounts Using IAM Role.

Procedure

  1. In Prod account, set up the Prod-Xacc-Access role which will be a cross-account role. Navigate to IAM > Roles and click Create New Role.


  2. Select Another AWS account, and provide Account ID, and click Next:Permissions. Enter the AWS account ID of the AWS account which can assume this role. In this example, it is the IT account (AWS account ID – 123456789012). You can choose Require MFA based on your requirement.
  3. Select the policies required by the Prod-Xacc-Access role to create the Avi Load Balancer SE for providing Avi Load Balancer functionality, and click Review. The following are the policies attached to this role in this reference section:

    • AviController-EC2-Policy

    • AviController-IAM-XAccess-Policy

    • AviController-R53-Policy

    • AviController-S3-Policy

    • vmimport-role-policy

  4. Provide the Role name (Prod-Xacc-Access), Role description (optional), and click Create Role.

    To summarize, for Prod-Xacc-Access role, the role ARN will be displayed as arn:aws:iam::112233445566:role/Prod-Xacc-Access. Ensure that the format is: arn:aws:iam::account-id:role/role-name.