This section discusses the stpes to configure the Cloud Connector using User Cross-Account AssumeRole.

After completing the prerequisite setup, you can configure the IAM role for the Controller as IT-AviController-Role by following the steps mentioned in AWS Installation Guide. Skip the cloud creation steps and choose No Orchestrator during the setup. Ensure that the VPCs and subnets are configured in AWS, so that Controller management interface and Service Engine’s management networks will be reachable from other accounts.


  1. Create the AWS cloud by navigating to Infrastructure > Clouds and click on Create. Choose the appropriate region and select the checkbox for Use AWS Identity and Access Management (IAM) roles. This will ensure that the IT-AviController-Role is attached to the Controller when it is launched. Both IAM role and access/secret key can used for cross-account role given the role/user has the necessary permissions (cross-account policy).
  2. Select the checkbox for Use Cross-Account AssumeRole, if the cloud has been set up in another AWS account. However, in this case, the SE cloud is created in the Prod AWS account (112233445566) from the Controller hosted in IT AWS account (123456789012). As the cross-account AssumeRole has already been set up for IT-AviController-Role, on selecting the checkbox, the back-end APIs will fetch the associated AssumeRole accounts and their roles and display them in the drop-down menu. If there were no AssumeRoles attached, then the list would have been empty. There would be a text box that can be used to enter the ARN of the role for which the Controller instance’s IAM role (in our case, IT-AviController-Role) can assume the role.
  3. Select the ARN for the account and role, where the SE targets will be deployed.
  4. If the role has appropriate access and is correctly setup, the Controller will fetch the AWS account details and configuration’s VPC networks. Similarly, this will continue for the older SE AWS cloud setup.
    • Cloud setup will progress, and the SE AMI will be copied to the target account.

    • Once the transfer is completed, the cloud status will move to Cloud ready for Virtual Service placement.

  5. Virtual services can now be configured on this cloud by following the steps mentioned at Creating Virtual Service.