The AWS CLI needs to be run from the same directory in which you save the files.

Procedure

  1. Create the VM Import Service Role.

    Use the following commands to create a role name “vmimport” with the required permission.

    aws iam create-role --role-name vmimport --assume-role-policy-document file://vmimport-role-trust.json 
    
    aws iam put-role-policy --role-name vmimport --policy-name vmimport --policy-document file://vmimport-role-policy.json 
    
    aws iam put-role-policy --role-name vmimport --policy-name AviController-vmimport-KMS-Policy --policy-document file://avicontroller-kms-vmimport.json 
  2. Create the required policies for the NSX Advanced Load Balancer Controller role.

    AviController-Refined-Role is the role which will be attached to the Controller via the instance profile. Follow the below commands:

    aws iam create-role --role-name AviController-Refined-Role --assume-role-policy-document file://avicontroller-role-trust.json 
    
    aws iam create-policy --policy-name AviController-EC2-Policy --policy-document file://avicontroller-ec2-policy.json 
    
    aws iam create-policy --policy-name AviController-S3-Policy --policy-document file://avicontroller-s3-policy.json 
    
    aws iam create-policy --policy-name AviController-IAM-Policy --policy-document file://avicontroller-iam-policy.json 
    
    aws iam create-policy --policy-name AviController-R53-Policy --policy-document file://avicontroller-r53-policy.json 
    
    aws iam create-policy --policy-name AviController-ASG-Policy --policy-document file://avicontroller-asg-policy.json 
    
    aws iam create-policy --policy-name AviController-SQS-SNS-Policy --policy-document file://avicontroller-sqs-sns-policy.json 
    
    aws iam create-policy --policy-name AviController-KMS-Policy --policy-document file://avicontroller-kms-policy.json 
    Note:

    Following are the optional policies for AWS DNS service and the SNS-SQS feature:

    • AviController-R53-Policy

    • AviController-AutoScalingGroup-Policy

    • AviController-SQS-SNS-Policy

    • AviController-KMS-Policy (supported as of release 17.2.8)

  3. Attach policies to the NSX Advanced Load Balancer Controller role.

    Once the policies (AviController-EC2-Policy, AviController-R53-Policy, AviController-IAM-Policy, etc.) are created (in Step 2), attach them to the AviController-Refined-Role.

    aws iam attach-role-policy --role-name AviController-Refined-Role --policy-arn "arn:aws:iam::123456789012:policy/AviController-EC2-Policy" aws iam attach-role-policy --role-name AviController-Refined-Role --policy-arn "arn:aws:iam::123456789012:policy/AviController-R53-Policy" aws iam attach-role-policy --role-name AviController-Refined-Role --policy-arn "arn:aws:iam::123456789012:policy/AviController-AutoScalingGroup-Policy" aws iam attach-role-policy --role-name AviController-Refined-Role --policy-arn "arn:aws:iam::123456789012:policy/AviController-SNS-Policy" aws iam attach-role-policy --role-name AviController-Refined-Role --policy-arn "arn:aws:iam::123456789012:policy/AviController-SQS-Policy" aws iam attach-role-policy --role-name AviController-Refined-Role --policy-arn "arn:aws:iam::123456789012:policy/AviController-ASG-Notification" aws iam attach-role-policy --role-name AviController-Refined-Role --policy-arn "arn:aws:iam::123456789012:policy/AviController-KMS-Policy"
    Note:

    Following are the optional policies for AWS DNS service and SNS-SQS feature:

    • AviController-R53-Policy

    • AviController-AutoScalingGroup-Policy

    • AviController-SQS-SNS-Policies

    • AviController-KMS-Policy

  4. Create an instance profile and apply this instance profile to the EC2 role.
    aws iam create-role --role-name AviController-Refined-Role --assume-role-policy-document file://avicontroller-role-trust.json 
    
    aws iam create-policy --policy-name AviController-EC2-Policy --policy-document file://avicontroller-ec2-policy.json 
    
    aws iam create-policy --policy-name AviController-S3-Policy --policy-document file://avicontroller-s3-policy.json 
    
    aws iam create-policy --policy-name AviController-IAM-Policy --policy-document file://avicontroller-iam-policy.json 
    
    aws iam create-policy --policy-name AviController-R53-Policy --policy-document file://avicontroller-r53-policy.json 
    
    aws iam create-policy --policy-name AviController-ASG-Policy --policy-document file://avicontroller-asg-policy.json 
    
    aws iam create-policy --policy-name AviController-SQS-SNS-Policy --policy-document file://avicontroller-sqs-sns-policy.json 
    
    aws iam create-policy --policy-name AviController-KMS-Policy --policy-document file://avicontroller-kms-policy.json 
    Note:
    • The AWS put-role-policy command creates an inline policy in the role (as opposed to an attached policy).

    • Make sure to replace “123456789012” with the applicable AWS account ID.