Set up a cloud provider account connection in VMware Tanzu Mission Control so you can start creating clusters. This procedure walks you through the process of creating a cloud provider account connection with AWS using Role ARN.

Note: The aws-hosted management cluster is no longer available, as of 31-January-2023.

To provision a cluster in the aws-hosted management cluster using Tanzu Mission Control, you must first connect a cloud provider account so that Tanzu Mission Control has a place to provision the necessary objects to create the cluster.

A cloud provider account connection is only necessary for provisioning new clusters from Tanzu Mission Control. If you don't want to create clusters right now, you can skip this section.


Before starting this procedure, perform the following tasks:
  • Log in to the Tanzu Mission Control console.
  • Log into the AWS console.
You must also make sure you have the appropriate permissions to connect a cloud provider account.
  • To create a cloud provider account connection, you must be associated with the organization.credential.admin role.


  1. In the Tanzu Mission Control console, click Administration in the left navigation pane, and then click the Management clusters tab.
  2. In the list of management clusters, click the aws-hosted management cluster.
  3. On the detail page for the aws-hosted management cluster, click the Accounts tab, and then click Create Account Credential.
  4. On the Create credential page, select a provisioner and provide a name for the account connection, click Generate template, and then click Next.
    The name that you enter is the name that appears in the list of connected accounts on the Administration page.
    When you click Generate template, Tanzu Mission Control generates the template and then downloads it.
    Note: Do not reuse a template from a previously created stack. Each time you create a cloud provider account connection, you must download the template and create a new stack, even if you use the same AWS account.
  5. In the AWS console, use the EC2 service to create an SSH key pair (for example, my-tmc-kp) for each region that you plan to use with Tanzu Mission Control.
  6. Create a standard CloudFormation stack in AWS using the downloaded template.
    1. In the AWS console, use the CloudFormation service to create a stack (with new resources).
    2. When prompted, click Upload a template file and use the template you downloaded.
    3. On the Review page, you must scroll to the bottom and select the checkbox that acknowledges the creation of IAM resources, and then click Create stack.
    After a couple minutes, the Stack details page shows your new stack with the status of CREATE_COMPLETE. You might need to click the refresh button to update the status.
  7. After the stack is created, retrieve the role ARN.
    1. After the stack creation is complete, click the Outputs tab.
    2. On the outputs tab, find the message created by the template that shows the role ARN.
    3. Copy the role ARN shown in the message (for example, arn:aws:iam::01234567890:role/, and then return to the Tanzu Mission Control console to finish creating the connection.
  8. In the Tanzu Mission Control console, still on the create credential page, click Next to proceed to the last step, and then paste the role ARN that you copied from the AWS console.
  9. Click Create Credential to create the connection to your cloud provider account.