If using the IAM role method to define access for an Avi Load Balancer installation in Amazon Web Services (AWS), use the steps in this article to set up the IAM roles before beginning deployment of the Avi Load Balancer Controller EC2 instance.
IAM Role Name |
Policy Name |
Description |
Required |
|---|---|---|---|
vmimport vmimport-role-trust.json |
vmimport vmimport-role-policy.json |
Enables the Avi Load Balancer SE VM to be imported into AWS. Without this IAM role, the SE cannot be launched. This role is associated with the AWS account in which Service Engines will be deployed (not with the Controller). For more details on vmimport, see VM Import/Export guide. |
Yes |
kmsimport avicontroller-kms-vmimport.json |
Used to create an IAM policy and attached to vmimport role, or it can be directly applied to the KMS key. |
Yes |
|
AviController-Refined-Role avicontroller-role-trust.json |
AviController-EC2-Policy |
Enables Avi Load Balancer Controller instance to be installed. |
Yes |
AviController-IAM-Policy |
Enable access to retrieve IAM roles and policy information. |
Yes |
|
AviController-S3-Policy |
Enable S3 permissions |
Yes |
|
AviController-R53-Policy |
Enables access to the AWS cloud's DNS. |
If configuring automatic DNS registration to Route53. |
|
AviController-ASG-Policy |
Enables read access to the AWS cloud's Auto Scaling groups. |
If defining Pools based on AWS Auto Scaling Groups. |
|
AviController-SQS-SNS-Policy |
Enables Avi Load Balancer Controller to use SNS and SQS feature for Auto Scaling groups. Allows Avi Load Balancer Controller to receive ASG notifications when SNS and SQS features are enabled. |
If SNS/SQS is enabled for notifcation-based updates for Pools based on Auto Scaling Groups. |
|
AviController-KMS-Policy |
Enables the Avi Load Balancer Controller to list the encryption keys in the Avi Load Balancer UI, and decrypt encrypted messages. |
If SQS encryption feature is enabled. |
Then use one of the following workflows to set up the IAM roles:
