You must configure credentials in Amazon AWS with the permissions required for vRealize Automation to manage your environment.

vRealize Automation requires access keys for endpoint credentials and does not support user names and passwords.

  • Role and Permission Authorization in Amazon Web Services

    While the Power User role in AWS provides an AWS Directory Service user or group with full access to AWS services and resources, it is not required. Lower privileged user roles are also supported. The AWS security policy that meets the needs of vRealize Automation functionality is:

    {
       "Version": "2012-10-17",
       "Statement": [{
          "Effect": "Allow",
          "Action": [
                    "ec2:DescribeInstances",
                    "ec2:DescribeImages",
                    "ec2:DescribeKeyPairs",
                    "ec2:DescribeVpcs",
                    "ec2:DescribeSubnets",
                    "ec2:DescribeSecurityGroups",
                    "ec2:DescribeVolumes",
                   
                    "ec2:DescribeVpcAttribute",
                    "ec2:DescribeAddresses",
                    "ec2:DescribeAvailabilityZones",
                    "ec2:DescribeImageAttribute",
                    "ec2:DescribeInstanceAttribute",
                    "ec2:DescribeVolumeStatus",
                    "ec2:DescribeVpnConnections",
                    "ec2:DescribeRegions",
                    "ec2:DescribeTags",
                    "ec2:DescribeVolumeAttribute",
                    "ec2:DescribeNetworkInterfaces",
                    "ec2:DescribeNetworkInterfaceAttribute",
    
                    "ec2:DisassociateAddress",
                    "ec2:GetPasswordData",
    
                    "ec2:ImportKeyPair",
                    "ec2:ImportVolume",
    
                    "ec2:CreateVolume",
                    "ec2:DeleteVolume",
                    "ec2:AttachVolume",
                    "ec2:ModifyVolumeAttribute",
                    "ec2:DetachVolume",
    
                    "ec2:AssignPrivateIpAddresses",
                    "ec2:UnassignPrivateIpAddresses",
    
                    "ec2:CreateKeyPair",
                    "ec2:DeleteKeyPair",
    
                    "ec2:CreateTags",
                    "ec2:AssociateAddress",
                    "ec2:ReportInstanceStatus",
                    "ec2:StartInstances",
                    "ec2:StopInstances",
                    "ec2:ModifyInstanceAttribute",
                    "ec2:MonitorInstances",
                    "ec2:RebootInstances",
                    "ec2:RunInstances",
                    "ec2:TerminateInstances",
                   
                    "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
                    "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
                    "elasticloadbalancing:DescribeLoadBalancerAttributes",
                    "elasticloadbalancing:DescribeLoadBalancers",
                    "elasticloadbalancing:DescribeInstanceHealth"
          ],
          "Resource": "*"
        }
    ]}

  • Authentication Credentials in Amazon Web Services

    For management of Amazon Identity and Access Management (IAM) users and groups, you must be configured with AWS Full Access Administrator credentials.

When you create an AWS endpoint in vRA, you're prompted to enter a key and secret key. To obtain the access key needed to create the Amazon endpoint, the administrator must either request a key from a user who has AWS Full Access Administrator credentials or be additionally configured with the AWS Full Access Administrator policy. See Create an Amazon Endpoint.

For information about enabling policies and roles, see the AWS Identity and Access Management (IAM) section of Amazon Web Services product documentation.