NSX Cloud provides a SHELL script to help set up one or more of your AWS accounts by generating an IAM profile and a role for PCG attached to the profile that provides necessary permissions to your AWS account.

If you plan to host a Transit VPC linked to multiple Compute VPCs in two different AWS accounts, you can use the script to create a trust relationship between these accounts.

Note: The PCG (Gateway) role name is nsx_pcg_service by default. If you want a different value for the Gateway Role Name, you can change it in the script, but make a note of this value because it is required for adding the AWS account in CSM.

Prerequisites

You must have the following installed and configured on your Linux or compatible system before you run the script:

  • AWS CLI
  • jq (A JSON parser)
  • openssl
Note: If using multiple AWS accounts, the accounts must be peered using a suitable method.

Procedure

  1. On a Linux or compatible desktop or server, download the SHELL script named nsx_csm_iam_script.sh from the NSX-T Data Center Download page > Drivers & Tools > NSX Cloud Scripts > AWS.
  2. Scenario 1: You want to use a single AWS account with NSX Cloud.
    1. Run the script, for example:
       bash nsx_csm_iam_script.sh
    2. Enter yes when prompted with the question Do you want to create an IAM user for CSM and an IAM role for PCG? [yes/no]
    3. Enter a name for the IAM user when asked What do you want to name the IAM User?
      Note: The IAM user name must be unique in your AWS account.
    4. Enter no when asked Do you want to add trust relationship for any Transit VPC account? [yes/no]
    When the script runs successfully, the IAM profile and a role for PCG is created in your AWS account. The values are saved in the output file named aws_details.txt in the same directory where you ran the script. Next, follow instructions at Add your AWS Account in CSM and then Deploy PCG in a Self-Managed or Transit VPC to finish the process of setting up a Transit or Self-Managed VPC.
  3. Scenario 2: You want to use multiple sub-accounts in AWS that are managed by one master AWS account.
    1. Run the script from your AWS master account.
       bash nsx_csm_iam_script.sh
    2. Enter yes when prompted with the question Do you want to create an IAM user for CSM and an IAM role for PCG? [yes/no]
    3. Enter a name for the IAM user when asked What do you want to name the IAM User?
      Note: The IAM user name must be unique in your AWS account.
    4. Enter no when asked Do you want to add trust relationship for any Transit VPC account? [yes/no]
      Note: With a master AWS account, if your Transit VPC has permission to view Compute VPCs in the sub-accounts, you do not need to establish a trust relationship with your sub-accounts. If not, follow the steps for Scenario 3 to set up multiple accounts.
    When the script runs successfully, the IAM profile and a role for PCG is created in your AWS master account. The values are saved in the output file in the same directory where you ran the script. The filename is aws_details.txt. Next, follow instructions at Add your AWS Account in CSM and then Deploy PCG in a Self-Managed or Transit VPC to finish the process of setting up a Transit or Self-Managed VPC.
  4. Scenario 3: You want to use multiple AWS accounts with NSX Cloud.
    Note: Verify that the AWS accounts are peered before you proceed.
    1. Make a note of the 12-digit AWS account number where you want to host the Transit VPC.
    2. Set up the Transit VPC in the AWS account by following steps a through d for Scenario 1 and finish the process of adding the account in CSM and deploying a PCG in it.
    3. Download and run the NSX Cloud script from a Linux or compatible system in your other AWS account where you want to host the Compute VPCs.
      Note: Alternatively, you can use AWS profiles with different account credentials to use the same system to run the script again for your other AWS account.
    4. Enter yes when asked Do you want to create an IAM user for CSM and an IAM role for PCG? [yes/no]
      Note: If you already added this AWS account into CSM and want to reuse the script to connect to a different AWS account, you can enter no and skip the creation of the IAM user.
    5. Enter a name for the IAM user when asked What do you want to name the IAM User?
      Note: The IAM user name must be unique in your AWS account.
    6. Enter yes when asked Do you want to add trust relationship for any Transit VPC account? [yes/no]
    7. Enter or copy-paste the 12-digit AWS account number that you noted in step 1 when asked What is the Transit VPC account number?
      An IAM Trust Relationship is established between the two AWS accounts and an ExternalID is generated by the script.
    When the script runs successfully, the IAM profile and a role for PCG is created in your AWS master account. The values are saved in the output file in the same directory where you ran the script. The filename is aws_details.txt. Next, follow instructions at Add your AWS Account in CSM and then Link to a Transit VPC or VNet to finish the process of linking to a Transit VPC.