Para crear un centro de datos definido por software (software defined datacenter, SDDC), VMware debe agregar varios permisos y funciones de AWS requeridos a la cuenta de AWS.

Declaración de permisos

Los permisos iniciales necesarios para crear el SDDC se muestran en cursiva. Estos permisos se eliminan de la función una vez creado el SDDC. El resto se mantiene con esta función en su cuenta de AWS.

Importante:

No debe cambiar ninguno de los permisos ni las funciones de AWS que quedan. De lo contrario, el SDDC podría no funcionar.

{
 "Version": "2012-10-17",
 "Statement": [
 {
 "Effect": "Allow",
 "Action": [
 "ec2:DescribeRouteTables",
 "ec2:CreateRoute",
 "ec2:DeleteRoute",
 "ec2:ReplaceRoute"
 ],
 "Resource": [
 "*"
 ]
 },
 {
 "Effect": "Allow",
 "Action": [
 "ec2:DescribeNetworkInterfaces",
 "ec2:CreateNetworkInterface",
 "ec2:DeleteNetworkInterface",
 "ec2:CreateNetworkInterfacePermission",
 "ec2:ModifyNetworkInterfaceAttribute",
 "ec2:DescribeNetworkInterfaceAttribute",
 "ec2:DescribeVpcs",
 "ec2:DescribeSubnets"
 ],
 "Resource": [
 "*"
 ]
 },
 {
 "Effect": "Allow",
 "Action": [
 "ec2:AssignPrivateIpAddresses",
 "ec2:UnassignPrivateIpAddresses"
 ],
 "Resource": [
 "*"
 ]
 },
 {
 "Effect": "Allow", "Action": [ "cloudformation:CreateStack", "cloudformation:DescribeStacks", "cloudformation:DescribeStackEvents", "cloudformation:DescribeStackResource", "cloudformation:DescribeStackResources", "cloudformation:GetTemplateSummary", "cloudformation:ListStackResources", "cloudformation:GetTemplate", "cloudformation:ListChangeSets", "cloudformation:GetStackPolicy"
 ],
 "Resource": "*"
 },
 {
 "Effect": "Allow", "Action": [ "iam:CreateRole", "iam:CreatePolicy", "iam:AttachRolePolicy", "iam:GetRole", "iam:PassRole", "iam:PutRolePolicy", "lambda:CreateFunction", "lambda:InvokeFunction", "lambda:GetFunctionConfiguration", "cloudformation:DescribeStackResource", "cloudformation:DescribeStackResources"
 ],
 "Resource": "*"
 }
 ]
}
Para ver el documento de permisos de directiva asociado, inicie sesión en la consola de AWS y abra https://console.aws.amazon.com/iam/home?region=us-east-1#/policies/arn:aws:iam::aws:policy/AmazonVPCCrossAccountNetworkInterfaceOperations$jsonEditor. Ahí encontrará una descripción resumida de la directiva.
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeRouteTables",
                "ec2:CreateRoute",
                "ec2:DeleteRoute",
                "ec2:ReplaceRoute"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeNetworkInterfaces",
                "ec2:CreateNetworkInterface",
                "ec2:DeleteNetworkInterface",
                "ec2:CreateNetworkInterfacePermission",
                "ec2:DeleteNetworkInterfacePermission",
                "ec2:DescribeNetworkInterfacePermissions",
                "ec2:ModifyNetworkInterfaceAttribute",
                "ec2:DescribeNetworkInterfaceAttribute",
                "ec2:DescribeAvailabilityZones",
                "ec2:DescribeVpcs",
                "ec2:DescribeSubnets"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:AssignPrivateIpAddresses",
                "ec2:UnassignPrivateIpAddresses"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}