This section discusses the steps to configure the Cloud Connector using User Cross-Account AssumeRole.

After completing the prerequisite setup, you can configure the IAM role for the Controller as IT-AviController-Role by following the steps mentioned in the AWS Installation section. Skip the cloud creation steps and choose No Orchestrator during the setup. Ensure that the VPCs and subnets are configured in AWS, so that Controller management interface and Service Engine’s management networks will be reachable from other accounts.

Procedure

  1. Create the AWS cloud by navigating to Infrastructure > Clouds and click CREATE > No Orchestrator. Select Amazon Web Services as Type. Choose the appropriate region. Click SET CREDENTIALS and select the check box for Use IAM roles. This will ensure that the IT-AviController-Role is attached to the Controller when it is launched.
    Note:

    Both IAM role and access/secret key can used for cross-account role given the role/user has the necessary permissions (cross-account policy).



  2. Select the check box for Use Cross-Account AssumeRole if the cloud is set up in another AWS account. However, in this case, the SE cloud is created in the Prod AWS account (112233445566) from the Controller hosted in the IT AWS account (123456789012).

    As the cross-account AssumeRole has already been set up for IT-AviController-Role, on selecting the check box, the back-end APIs will fetch the associated AssumeRole accounts and their roles, and display them in the drop-down menu. If there are no AssumeRoles attached, the list will be empty. There is a text box that can be used to enter the ARN of the role for which the Controller instance’s IAM role (in our case,IT-AviController-Role) can assume the role.

  3. Select the ARN for the account and role, where the SE targets will be deployed.
  4. If the role has appropriate access and is correctly setup, the Controller will fetch the AWS account details and configuration’s VPC networks. Similarly, this will continue for the older SE AWS cloud setup.

    • Cloud setup will progress, and the SE AMI will be copied to the target account.

    • Once the transfer is completed, the cloud status will move to Cloud ready for Virtual Service placement.

  5. Virtual services can now be configured on this cloud by following the steps mentioned at Creating Virtual Service.