...
Info |
---|
If you are creating new policies, prepending them with the same string will allow for easier retrieval when creating the role and selecting the policies assigned to it. |
Allow read of cost and usage data
Navigate to the IAM console and create a new policy with the json described permissions below
Code Block |
---|
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": "ce:GetCostAndUsage", "Resource": "*" } ] } |
Allow Read of created secret
Find the secret name in the script output and replace {SecretNameHere} with the secret name and {AWS account ID} with your account id
...
Code Block |
---|
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": "secretsmanager:GetSecretValue", "Resource": "arn:aws:secretsmanager:*:{AWS Account ID}:secret:{SecretNameHere}*" } ] } |
Allow management of DynamoDB and Simple Queue Service
Create the third policy:
Info |
---|
You will need to update this policy definition with your aws account ID. |
Code Block |
---|
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "dynamodb:CreateTable", "sqs:DeleteMessage", "sqs:GetQueueUrl", "dynamodb:UpdateTimeToLive", "dynamodb:DescribeTable", "sqs:ReceiveMessage", "dynamodb:Scan", "dynamodb:Query", "sqs:CreateQueue" ], "Resource": [ "arn:aws:dynamodb:*:{AWS account ID}:table/*bplm*", "arn:aws:sqs:*:{AWS account ID}:*bplm*" ] } ] } |
Allow s3 bucket tag get\set
Code Block |
---|
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "s3:GetBucketTagging", "s3:PutBucketTagging" ], "Resource": "arn:aws:s3:::*" } ] } |
Allow EC2 tag management
Info |
---|
You will need to update this policy definition with your aws account ID. |
Code Block |
---|
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0TagVpcsAndNats", "Effect": "Allow", "Action": [ "ec2:DeleteTags", "ec2:CreateTags" ], "Resource": "arn:aws:ec2:*:{AWS Account ID}:natgateway/*" }, { "Sid": "VisualEditor1LookupVpcsAndNats", "Effect": "Allow", "Action": [ "ec2:DescribeVpcs", "ec2:DescribeNatGateways" ], "Resource": "*" } ] } |
...
Once the role is created, navigate to the EC2 instance and assign the IAM role
Actions → Security → Modify IAM role
From here search for then select the IAM role and click ‘Update IAM role’
For cross account access configuration, see Cross account access for BPLM deployment on AWS
Step 4) Create DNS Entry
Navigate to the Route 53 service page, then further to the hosted zone you wish to manage. Create an 'A' record for the application providing the IP address output at the end of script execution.
...