Create an Amazon Web Service User Account

Create an Amazon Web Service (AWS) user account so that you can later add a cloud credential in NavOps.

You must already have signed up for an AWS account.

AWS documentation can be found at Creating an IAM User in Your AWS Account.

Create an AWS user account and give this account administrative permissions. Once this task is complete, you should have downloaded a CSV file containing the following:
  • Access key ID
  • Secret access key
This information is necessary to create a cloud account credential in NavOps.
  1. Login in the AWS console.
  2. Using the search box located under AWS services, enter IAM.
  3. Click the IAM search result.
    The Identity and Access Management dashboard is opened.
  4. In the navigation pane on the left-hand side of the web page, click Users.
  5. Click Add user.
    This user will have administrative rights to any machines hosted in the cloud.
  6. Enter the following information to add a user:
    1. For User name, enter a name for the user.
      The name can be anything meaningful to your organization, e.g., pc_clouduser.
    2. For Access type, enable Programmatic access.

      The user requires this type of access because NavOps needs to make API calls or use the AWS CLI. An access key ID and a secret access key are generated for the user.

  7. Click Next:Permissions.
  8. Optional: Click Add user to group.
    This button may already be selected.
  9. Click Create group.
  10. Enter the following information to create a group, add the user to the group, and choose a permission policy for the group.
    1. For Group name, enter a group name.
      The name can be anything meaningful to your organization, e.g., pc_cloudgroup.
    2. For Policy type, enable AdministratorAccess.
    3. Add the following policies.
      Policy 1:
      {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "burstingpermission",
            "Effect": "Allow",
            "Action": [
                "autoscaling:CreateAutoScalingGroup",
                "autoscaling:UpdateAutoScalingGroup",
                "autoscaling:DescribeScalingActivities",
                "autoscaling:DescribeAutoScalingGroups",
                "autoscaling:DeleteAutoScalingGroup",
                "autoscaling:DetachInstances",
                "autoscaling:SetDesiredCapacity",
                "autoscaling:SuspendProcesses",
                "autoscaling:TerminateInstanceInAutoScalingGroup",
                "ec2:CreateTags",
                "ec2:DescribeRegions",
                "ec2:DescribeSpotPriceHistory",
                "ec2:DescribeImages",
                "ec2:DescribeInstances",
                "ec2:DescribeInstanceAttribute",
                "ec2:DescribeAvailabilityZones",
                "ec2:TerminateInstances",
                "ec2:ImportKeyPair",
                "ec2:DescribeKeyPairs",
                "ec2:DeleteKeyPair",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeSpotInstanceRequests",
                "ec2:DescribeVpcClassicLink",
                "sts:DecodeAuthorizationMessage",
                "ec2:DescribeInstanceTypes",
                "ec2:RunInstances",
                "ec2:DescribeInstanceStatus",
                "ec2:DescribeSubnets",
                "ec2:CreatePlacementGroup",
                "ec2:DescribePlacementGroups",
                "ec2:DeletePlacementGroup",
                "ec2:DescribeLaunchTemplates",
                "ec2:CreateLaunchTemplate",
                "ec2:DeleteLaunchTemplate",
                "ec2:CreateLaunchTemplateVersion"
            ],
            "Resource": "*"
        }
     ]
}
      Policy 2:
      {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "iam:GetRole",
                "iam:PassRole"
            ],
            "Resource": "arn:aws:iam::<account-id>:role/<bursting-role-name>"
        }
    ]
}
      Note: In Policy 2, replace the account id for <account-id> and the name of the scaling role for <scaling-role-name>.
      Add a separate role using this policy:
      {
  "Version": "2012-10-17",
  "Statement": [
       {
          "Sid": "VisualEditor0",
          "Effect": "Allow",
          "Action": "iam:CreateServiceLinkedRole",
          "Resource": "arn:aws:iam::*:role/aws-service-role/*"
       }
   ]
}

      These policies provide the required access to AWS services and resources.

  11. Click Create group.
    You are returned to the Add user page and the new group is enabled indicating that the user is added to the new group.
  12. Click Next: Tags.
  13. Click Next: Review.
  14. Click Create user.
  15. Click Download.csv.
  16. Download and save this file in a secure location.
    This file contains an access key ID and a secret access key and is used later to add a cloud account to NavOps.
  17. Click Close.
    The new user account is displayed.