If using the IAM role method to define access for an Avi Load Balancer installation in Amazon Web Services (AWS), use the steps in this article to set up the IAM roles before beginning deployment of the Avi Load Balancer Controller EC2 instance.

IAM Role Name

Policy Name

Description

Required

vmimport vmimport-role-trust.json

vmimport vmimport-role-policy.json

Enables the Avi Load Balancer SE VM to be imported into AWS. Without this IAM role, the SE cannot be launched. This role is associated with the AWS account in which Service Engines will be deployed (not with the Controller). For more details on vmimport, see VM Import/Export guide.

Yes

kmsimport avicontroller-kms-vmimport.json

Used to create an IAM policy and attached to vmimport role, or it can be directly applied to the KMS key.

Yes

AviController-Refined-Role avicontroller-role-trust.json

AviController-EC2-Policy

avicontroller-ec2-policy.json

Enables Avi Load Balancer Controller instance to be installed.

Yes

AviController-IAM-Policy

avicontroller-iam-policy.json

Enable access to retrieve IAM roles and policy information.

Yes

AviController-S3-Policy

avicontroller-s3-policy.json

Enable S3 permissions

Yes

AviController-R53-Policy

avicontroller-r53-policy.json

Enables access to the AWS cloud's DNS.

If configuring automatic DNS registration to Route53.

AviController-ASG-Policy

avicontroller-asg-policy.json

Enables read access to the AWS cloud's Auto Scaling groups.

If defining Pools based on AWS Auto Scaling Groups.

AviController-SQS-SNS-Policy

avicontroller-sqs-sns-policy.json

Enables Avi Load Balancer Controller to use SNS and SQS feature for Auto Scaling groups. Allows Avi Load Balancer Controller to receive ASG notifications when SNS and SQS features are enabled.

If SNS/SQS is enabled for notifcation-based updates for Pools based on Auto Scaling Groups.

AviController-KMS-Policy

avicontroller-kms-policy.json

Enables the Avi Load Balancer Controller to list the encryption keys in the Avi Load Balancer UI, and decrypt encrypted messages.

If SQS encryption feature is enabled.

To begin, download the JSON files for the IAM role and policies onto a host that has the AWS CLI.

Then use one of the following workflows to set up the IAM roles: