NSX Cloud leverages the AWS IAM to generate a role attached to the NSX Cloud profile that provides the necessary permissions to the PCG to access your AWS account.

For NSX Cloud to operate in your AWS account, you need to generate an IAM profile and a role for PCG.

This is achieved by running the NSX Cloud shell script using the AWS CLI that creates the following constructs:

  • an IAM profile for NSX Cloud.

  • a role for PCG to enable it to work on your public cloud inventory.


  • You must have the AWS CLI installed and configured using your AWS account's Access Key and Secret Key.

  • You must have a unique IAM profile name picked out to supply to the script. The Gateway Role Name is attached to this IAM profile


  1. On a Linux or compatible desktop or server, download the SHELL script named AWS_create_credentials.sh from the NSX-T Data Center Download page > Drivers & Tools > NSX Cloud Scripts > AWS.
  2. Run the script and enter a name for the IAM profile when prompted. For example,
     bash AWS_create_NSXCloud_credentials.sh
  3. When the script runs successfully, the IAM profile and a role for PCG is created in your AWS account. The values are saved in the output file in the same directory where you ran the script. The filename is aws_details.txt.

    The PCG (Gateway) role name is nsx_pcg_service by default. You can change it in the script if you want a different value for the Gateway Role Name. This value is required for adding the AWS account in CSM, therefore you must make a note of it if changing the default value.

What to do next

Add your AWS Account in CSM