You can use this policy document to complete the procedure in Create an IAM User for Tanzu Operations Manager in Preparing to Deploy Tanzu Operations Manager on AWS.

Policy document base code

For the S3 Bucket policy sections, make sure to update the generic bucket naming with your custom/unique bucket names.

From the AWS Management Console, copy and paste the following text into the Policy Document text box.

You can add more policies to enable additional features. For more information, see Add more AWS policies.


{
  "Version": "2012-10-17",
  "Statement": [
    {
        "Effect": "Deny",
        "Action": [
            "iam:Add*",
            "iam:Attach*",
            "iam:ChangePassword",
            "iam:Create*",
            "iam:DeactivateMFADevice",
            "iam:Delete*",
            "iam:Detach*",
            "iam:EnableMFADevice",
            "iam:GenerateCredentialReport",
            "iam:GenerateServiceLastAccessedDetails",
            "iam:GetAccessKeyLastUsed",
            "iam:GetAccountAuthorizationDetails",
            "iam:GetAccountPasswordPolicy",
            "iam:GetAccountSummary",
            "iam:GetContextKeysForCustomPolicy",
            "iam:GetContextKeysForPrincipalPolicy",
            "iam:GetCredentialReport",
            "iam:GetGroup",
            "iam:GetGroupPolicy",
            "iam:GetLoginProfile",
            "iam:GetOpenIDConnectProvider",
            "iam:GetPolicy",
            "iam:GetPolicyVersion",
            "iam:GetRole",
            "iam:GetRolePolicy",
            "iam:GetSAMLProvider",
            "iam:GetSSHPublicKey",
            "iam:GetServerCertificate",
            "iam:GetServiceLastAccessedDetails",
            "iam:GetUser",
            "iam:GetUserPolicy",
            "iam:List*",
            "iam:Put*",
            "iam:RemoveClientIDFromOpenIDConnectProvider",
            "iam:RemoveRoleFromInstanceProfile",
            "iam:RemoveUserFromGroup",
            "iam:ResyncMFADevice",
            "iam:SetDefaultPolicyVersion",
            "iam:SimulateCustomPolicy",
            "iam:SimulatePrincipalPolicy",
            "iam:Update*"
        ],
        "Resource": [
            "*"
        ]
    },
    {
        "Sid": "OpsMgrInfrastructureIaasConfiguration",
        "Effect": "Allow",
        "Action": [
            "ec2:DescribeKeypairs",
            "ec2:DescribeVpcs",
            "ec2:DescribeSecurityGroups",
            "ec2:DescribeAvailabilityZones",
            "ec2:DescribeAccountAttributes"
        ],
        "Resource": "*"
    },
    {
        "Sid": "OpsMgrInfrastructureDirectorConfiguration",
        "Effect": "Allow",
        "Action": [
            "s3:*"
        ],
        "Resource": [
            "arn:aws:s3:::pcf-ops-manager-bucket",
		    "arn:aws:s3:::pcf-ops-manager-bucket/*",
            "arn:aws:s3:::pcf-buildpacks-bucket",
            "arn:aws:s3:::pcf-buildpacks-bucket/*",
		    "arn:aws:s3:::pcf-packages-bucket",
		    "arn:aws:s3:::pcf-packages-bucket/*",
            "arn:aws:s3:::pcf-resources-bucket",
            "arn:aws:s3:::pcf-resources-bucket/*",
            "arn:aws:s3:::pcf-droplets-bucket",
            "arn:aws:s3:::pcf-droplets-bucket/*"
        ]
    },
    {
        "Sid": "OpsMgrInfrastructureAvailabilityZones",
        "Effect": "Allow",
        "Action": [
            "ec2:DescribeAvailabilityZones"
        ],
        "Resource": "*"
    },
    {
        "Sid": "OpsMgrInfrastructureNetworks",
        "Effect": "Allow",
        "Action": [
            "ec2:DescribeSubnets"
        ],
        "Resource": "*"
    },
    {
        "Sid": "DeployMicroBosh",
        "Effect": "Allow",
        "Action": [
            "ec2:DescribeImages",
            "ec2:RunInstances",
            "ec2:DescribeInstances",
            "ec2:TerminateInstances",
            "ec2:RebootInstances",
            "elasticloadbalancing:DescribeLoadBalancers",
            "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
            "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
            "ec2:DescribeAddresses",
            "ec2:DisassociateAddress",
            "ec2:AssociateAddress",
            "ec2:CreateTags",
            "ec2:DescribeVolumes",
            "ec2:CreateVolume",
            "ec2:AttachVolume",
            "ec2:DeleteVolume",
            "ec2:DetachVolume",
            "ec2:CreateSnapshot",
            "ec2:DeleteSnapshot",
            "ec2:DescribeSnapshots",
            "ec2:DescribeRegions"
        ],
        "Resource": "*"
    }
]
}

Add more AWS policies

To perform specific tasks, you might need to add more policies to your Policy Document text box in the AWS Management Console.

Refer to the following table to determine what additional policies you might want to include. Then paste the code from the corresponding row. Enter the code in your existing policy after any },.

For more information about AWS policies, see Example policies in the AWS documentation.

I need to... So I paste this code.
Use an AWS Instance Profile instead of AWS Keys.
{
  "Sid": "AllowToGetInfoAboutCurrentInstanceProfile",
  "Effect": "Allow",
  "Action": [
    "iam:GetInstanceProfile"
  ],
  "Resource": [
    "IAM-INSTANCE-ARN-PROFILE"
  ]
},
{
  "Sid": "AllowToCreateInstanceWithCurrentInstanceProfile",
  "Effect": "Allow",
  "Action": [
    "iam:PassRole"
  ],
  "Resource": [
    "IAM-OPS-MANAGER-ARN-ROLE"
  ]
},

Where:

  • IAM-INSTANCE-ARN-PROFILE is the IAM instance ARN profile that you configure in AWS.
  • IAM-OPS-MANAGER-ARN-ROLE is the IAM Tanzu Operations Manager ARN role that you configure in AWS.
Encrypt EBS volumes with AWS Key Management Service (KMS).
{
    "Sid": "RequiredIfUsingHeavyStemcells",
    "Effect": "Allow",
    "Action": [
        "ec2:RegisterImage",
        "ec2:DeregisterImage"
    ],
    "Resource": "*"
},
{
    "Sid": "RequiredIfEncryptingStemcells",
    "Effect": "Allow",
    "Action": [
        "ec2:CopyImage"
    ],
    "Resource": "*"
},
Use a custom KMS encryption key that I created in AWS.
{
    "Sid": "RequiredIfUsingCustomKMSKeys",
    "Effect": "Allow",
    "Action": [
        "kms:ReEncrypt*",
        "kms:GenerateDataKey*",
        "kms:CreateGrant",
        "kms:DescribeKey*"
    ],
    "Resource": [
        "((kms_key_arn))"
    ]
},
Use the load balancer target group.
{
    "Sid": "RequiredIfUsingLBTargetGroupCloudProperties",
    "Effect": "Allow",
    "Action": [
        "elasticloadbalancing:DescribeLoadBalancers",
        "elasticloadbalancing:DescribeTargetGroups",
        "elasticloadbalancing:DescribeTargetHealth",
        "elasticloadbalancing:RegisterTargets"
    ],
    "Resource": "*"
},
Use the AWS Spot instance advisor.
{
    "Sid": "RequiredIfUsingSpotBidPriceCloudProperties",
    "Effect": "Allow",
    "Action": [
        "ec2:CancelSpotInstanceRequests",
        "ec2:DescribeSpotInstanceRequests",
        "ec2:RequestSpotInstances"
    ],
    "Resource": "*"
},
Create and replace AWS routes.
{
    "Sid": "RequiredIfUsingAdvertisedRoutesCloudProperties",
    "Effect": "Allow",
    "Action": [
        "ec2:CreateRoute",
        "ec2:DescribeRouteTables",
        "ec2:ReplaceRoute"
    ],
    "Resource": "*"
},
check-circle-line exclamation-circle-line close-line
Scroll to top icon