NSX Cloud provides a SHELL script to help set up one or more of your AWS accounts by generating an IAM profile and a role for PCG attached to the profile that provides necessary permissions to your AWS account.

If you plan to host a Transit VPC linked to multiple Compute VPCs in two different AWS accounts, you can use the script to create a trust relationship between these accounts.

Note: The PCG (Gateway) role name is nsx_pcg_service by default. If you want a different value for the Gateway Role Name, you can change it in the script, but make a note of this value because it is required for adding the AWS account in CSM.

Prerequisites

You must have the following installed and configured on your Linux or compatible system before you run the script:

  • AWS CLI configured for the account and the default region.
  • jq (a JSON parser).
  • openssl (network security requirement).
Note: If using AWS GovCloud (US) accounts, ensure that your AWS CLI is configured for the GovCloud (US) account and the default region is specified in the AWS CLI configuration file.

Procedure

  • On a Linux or compatible desktop or server, download the SHELL script named nsx_csm_iam_script.sh from the NSX-T Data Center Download page > Drivers & Tools > NSX Cloud Scripts > AWS.
  • Scenario 1: You want to use a single AWS account with NSX Cloud.
    1. Run the script, for example:
       bash nsx_csm_iam_script.sh
    2. Enter yes when prompted with the question Do you want to create an IAM user for CSM and an IAM role for PCG? [yes/no]
    3. Enter a name for the IAM user when asked What do you want to name the IAM User?
      Note: The IAM user name must be unique in your AWS account.
    4. Enter no when asked Do you want to add trust relationship for any Transit VPC account? [yes/no]
    When the script runs successfully, the IAM profile and a role for PCG is created in your AWS account. The values are saved in the output file named aws_details.txt in the same directory where you ran the script. Next, follow instructions at Add your AWS Account in CSM and then Deploy PCG in a VPC to finish the process of setting up a Transit or Self-Managed VPC.
  • Scenario 2: You want to use multiple sub-accounts in AWS that are managed by one primary AWS account.
    1. Run the script from your AWS primary account.
       bash nsx_csm_iam_script.sh
    2. Enter yes when prompted with the question Do you want to create an IAM user for CSM and an IAM role for PCG? [yes/no]
    3. Enter a name for the IAM user when asked What do you want to name the IAM User?
      Note: The IAM user name must be unique in your AWS account.
    4. Enter no when asked Do you want to add trust relationship for any Transit VPC account? [yes/no]
      Note: With a primary AWS account, if your Transit VPC has permission to view Compute VPCs in the sub-accounts, you do not need to establish a trust relationship with your sub-accounts. If not, follow the steps for Scenario 3 to set up multiple accounts.
    When the script runs successfully, the IAM profile and a role for PCG is created in your AWS primary account. The values are saved in the output file in the same directory where you ran the script. The filename is aws_details.txt. Next, follow instructions at Add your AWS Account in CSM and then Deploy PCG in a VPC to finish the process of setting up a Transit or Self-Managed VPC.
  • Scenario 3: You want to use multiple AWS accounts with NSX Cloud, designating one account for Transit VPC and other accounts for Compute VPCs. See NSX Public Cloud Gateway: Architecture and Modes of Deployment for details on PCG deployment options.
    1. Make a note of the 12-digit AWS account number where you want to host the Transit VPC.
    2. Set up the Transit VPC in the AWS account by following steps a through d for Scenario 1 and finish the process of adding the account in CSM.
    3. Download and run the NSX Cloud script from a Linux or compatible system in your other AWS account where you want to host the Compute VPCs. Alternatively, you can use AWS profiles with different account credentials to use the same system to run the script again for your other AWS account.
    4. The script poses the question: Do you want to create an IAM user for CSM and an IAM role for PCG? [yes/no]. Use the following guidance for the appropriate response:
      This AWS account was already added to CSM. Enter no in response to Do you want to create an IAM user for CSM and an IAM role for PCG? [yes/no]
      This account has not been added to CSM before. Enter yes in response to Do you want to create an IAM user for CSM and an IAM role for PCG? [yes/no]
    5. (Optional) If you answered yes to creating an IAM user for CSM and PCG in the previous question, enter a name for the IAM user when asked What do you want to name the IAM User?. The IAM user name must be unique in your AWS account.
    6. Enter yes when asked Do you want to add trust relationship for any Transit VPC account? [yes/no]
    7. Enter or copy-paste the 12-digit AWS account number that you noted in step 1 when asked What is the Transit VPC account number?
      An IAM Trust Relationship is established between the two AWS accounts and an ExternalID is generated by the script.
    When the script runs successfully, the IAM profile and a role for PCG is created in your AWS primary account. The values are saved in the output file in the same directory where you ran the script. The filename is aws_details.txt. Next, follow instructions at Add your AWS Account in CSM and then Link to a Transit VPC or VNet to finish the process of linking to a Transit VPC.