AWS TGW
Objective
This document explains the various types of required policies that grant permissions for users to create or modify resources as part of deploying F5® Distributed Cloud Services Transit Gateway (TGW) sites on AWS. This document also provides instructions to create a service account using the AWS cloud formation templates.
AWS TGW Policies
The required policies are managed using the AWS IAM service. Log into AWS console and navigate to IAM dashboard. Select Access Management
> Users
. Select a user for which the policies need to be applied to grant permissions for deploying AWS cloud resources. In the Permissions
tab, click Add permissions
to add the required permissions listed in the following chapters. You can open an attached group and select the JSON view to check and ensure that correct permissions are applied.
The following is the JSON view of the required policy and permissions to deploy AWS Transit Gateway (TGW) site:
Note: You can use the AWS TGW Site Template to create service accounts for users.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"autoscaling:AttachLoadBalancerTargetGroups",
"autoscaling:AttachLoadBalancers",
"autoscaling:CreateAutoScalingGroup",
"autoscaling:CreateLaunchConfiguration",
"autoscaling:DeleteAutoScalingGroup",
"autoscaling:DeleteLaunchConfiguration",
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeLaunchConfigurations",
"autoscaling:DescribeLoadBalancerTargetGroups",
"autoscaling:DescribeLoadBalancers",
"autoscaling:DetachLoadBalancerTargetGroups",
"autoscaling:DetachLoadBalancers",
"autoscaling:DisableMetricsCollection",
"autoscaling:EnableMetricsCollection",
"autoscaling:ResumeProcesses",
"autoscaling:SuspendProcesses",
"autoscaling:UpdateAutoScalingGroup"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "AutoScalingPermissions"
},
{
"Action": [
"ec2:AcceptTransitGatewayVpcAttachment",
"ec2:AllocateAddress",
"ec2:AssignPrivateIpAddresses",
"ec2:AssociateAddress",
"ec2:AssociateIamInstanceProfile",
"ec2:AssociateRouteTable",
"ec2:AssociateSubnetCidrBlock",
"ec2:AssociateTransitGatewayRouteTable",
"ec2:AssociateVpcCidrBlock",
"ec2:AttachInternetGateway",
"ec2:AttachNetworkInterface",
"ec2:AttachVpnGateway",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CreateCustomerGateway",
"ec2:CreateInternetGateway",
"ec2:CreateNetworkInterface",
"ec2:CreateRoute",
"ec2:CreateRouteTable",
"ec2:CreateSecurityGroup",
"ec2:CreateSubnet",
"ec2:CreateTags",
"ec2:CreateTransitGateway",
"ec2:CreateTransitGatewayConnect",
"ec2:CreateTransitGatewayConnectPeer",
"ec2:CreateTransitGatewayPeeringAttachment",
"ec2:CreateTransitGatewayPolicyTable",
"ec2:CreateTransitGatewayPrefixListReference",
"ec2:CreateTransitGatewayRoute",
"ec2:CreateTransitGatewayRouteTable",
"ec2:CreateTransitGatewayRouteTableAnnouncement",
"ec2:CreateTransitGatewayVpcAttachment",
"ec2:CreateVpc",
"ec2:CreateVpnConnection",
"ec2:CreateVpnConnectionRoute",
"ec2:CreateVpnGateway",
"ec2:DeleteClientVpnEndpoint",
"ec2:DeleteClientVpnRoute",
"ec2:DeleteCustomerGateway",
"ec2:DeleteInternetGateway",
"ec2:DeleteNetworkInterface",
"ec2:DeleteRoute",
"ec2:DeleteRouteTable",
"ec2:DeleteSecurityGroup",
"ec2:DeleteSubnet",
"ec2:DeleteTags",
"ec2:DeleteTransitGateway",
"ec2:DeleteTransitGatewayRoute",
"ec2:DeleteTransitGatewayRouteTable",
"ec2:DeleteTransitGatewayVpcAttachment",
"ec2:DeleteVpc",
"ec2:DeleteVpnConnection",
"ec2:DeleteVpnGateway",
"ec2:DescribeAccountAttributes",
"ec2:DescribeAddresses",
"ec2:DescribeClientVpnConnections",
"ec2:DescribeClientVpnEndpoints",
"ec2:DescribeCustomerGateways",
"ec2:DescribeIamInstanceProfileAssociations",
"ec2:DescribeImages",
"ec2:DescribeInstanceAttribute",
"ec2:DescribeInstanceCreditSpecifications",
"ec2:DescribeInstanceTypes",
"ec2:DescribeInstances",
"ec2:DescribeInternetGateways",
"ec2:DescribeNetworkAcls",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeRouteTables",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeTags",
"ec2:DescribeTransitGatewayAttachments",
"ec2:DescribeTransitGatewayPeeringAttachments",
"ec2:DescribeTransitGatewayRouteTables",
"ec2:DescribeTransitGatewayVpcAttachments",
"ec2:DescribeTransitGateways",
"ec2:DescribeVolumes",
"ec2:DescribeVolumesModifications",
"ec2:DescribeVpcAttribute",
"ec2:DescribeVpcClassicLink",
"ec2:DescribeVpcClassicLinkDnsSupport",
"ec2:DescribeVpcs",
"ec2:DescribeVpnConnections",
"ec2:DescribeVpnGateways",
"ec2:DetachInternetGateway",
"ec2:DetachNetworkInterface",
"ec2:DetachVpnGateway",
"ec2:DisableTransitGatewayRouteTablePropagation",
"ec2:DisableVgwRoutePropagation",
"ec2:DisassociateAddress",
"ec2:DisassociateIamInstanceProfile",
"ec2:DisassociateRouteTable",
"ec2:DisassociateSubnetCidrBlock",
"ec2:DisassociateTransitGatewayRouteTable",
"ec2:DisassociateVpcCidrBlock",
"ec2:EnableTransitGatewayRouteTablePropagation",
"ec2:EnableVgwRoutePropagation",
"ec2:GetPasswordData",
"ec2:GetTransitGatewayRouteTableAssociations",
"ec2:GetTransitGatewayRouteTablePropagations",
"ec2:ModifyInstanceAttribute",
"ec2:ModifyInstanceCreditSpecification",
"ec2:ModifyInstanceMetadataOptions",
"ec2:ModifyNetworkInterfaceAttribute",
"ec2:ModifySubnetAttribute",
"ec2:ModifyTransitGatewayVpcAttachment",
"ec2:ModifyVolume",
"ec2:ModifyVpcAttribute",
"ec2:ModifyVpnConnection",
"ec2:ModifyVpnConnectionOptions",
"ec2:MonitorInstances",
"ec2:ReleaseAddress",
"ec2:ReplaceIamInstanceProfileAssociation",
"ec2:ReplaceRoute",
"ec2:ReplaceRouteTableAssociation",
"ec2:RevokeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress",
"ec2:RunInstances",
"ec2:SearchTransitGatewayRoutes",
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:TerminateInstances",
"ec2:UnassignPrivateIpAddresses",
"ec2:UnmonitorInstances",
"ec2:DescribeRegions",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeInstanceTypeOfferings"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "EC2Permissions"
},
{
"Action": [
"elasticloadbalancing:AddTags",
"elasticloadbalancing:CreateListener",
"elasticloadbalancing:CreateLoadBalancer",
"elasticloadbalancing:CreateTargetGroup",
"elasticloadbalancing:DeleteListener",
"elasticloadbalancing:DeleteLoadBalancer",
"elasticloadbalancing:DeleteTargetGroup",
"elasticloadbalancing:DeregisterTargets",
"elasticloadbalancing:DescribeInstanceHealth",
"elasticloadbalancing:DescribeListeners",
"elasticloadbalancing:DescribeLoadBalancerAttributes",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeTags",
"elasticloadbalancing:DescribeTargetGroupAttributes",
"elasticloadbalancing:DescribeTargetGroups",
"elasticloadbalancing:DescribeTargetHealth",
"elasticloadbalancing:ModifyListener",
"elasticloadbalancing:ModifyLoadBalancerAttributes",
"elasticloadbalancing:ModifyTargetGroup",
"elasticloadbalancing:ModifyTargetGroupAttributes",
"elasticloadbalancing:RegisterTargets",
"elasticloadbalancing:RemoveTags"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "ELBPermissions"
},
{
"Action": [
"iam:AddRoleToInstanceProfile",
"iam:AttachRolePolicy",
"iam:CreateInstanceProfile",
"iam:CreatePolicy",
"iam:CreatePolicyVersion",
"iam:CreateRole",
"iam:CreateServiceLinkedRole",
"iam:DeleteInstanceProfile",
"iam:DeletePolicy",
"iam:DeletePolicyVersion",
"iam:DeleteRole",
"iam:DeleteRolePermissionsBoundary",
"iam:DeleteRolePolicy",
"iam:DetachRolePolicy",
"iam:GetInstanceProfile",
"iam:GetPolicy",
"iam:GetPolicyVersion",
"iam:GetRole",
"iam:ListAttachedRolePolicies",
"iam:ListInstanceProfilesForRole",
"iam:ListPolicyVersions",
"iam:ListRolePolicies",
"iam:PassRole",
"iam:PutRolePermissionsBoundary",
"iam:RemoveRoleFromInstanceProfile",
"iam:TagPolicy",
"iam:TagInstanceProfile",
"iam:TagRole",
"iam:UpdateAssumeRolePolicy",
"iam:UpdateRole",
"iam:UpdateRoleDescription"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "IAMPermissions"
}
]
}
In case you are using AWS Direct Connect, add the following, in addition to the above permissions:
{
"Action": [
"directconnect:AllocateHostedConnection",
"directconnect:AllocatePrivateVirtualInterface",
"directconnect:AllocatePublicVirtualInterface",
"directconnect:AssociateHostedConnection",
"directconnect:AssociateVirtualInterface",
"directconnect:ConfirmConnection",
"directconnect:ConfirmPrivateVirtualInterface",
"directconnect:ConfirmPublicVirtualInterface",
"directconnect:CreateConnection",
"directconnect:CreateDirectConnectGateway",
"directconnect:CreateDirectConnectGatewayAssociation",
"directconnect:CreatePrivateVirtualInterface",
"directconnect:CreatePublicVirtualInterface",
"directconnect:DeleteConnection",
"directconnect:DeleteDirectConnectGateway",
"directconnect:DeleteDirectConnectGatewayAssociation",
"directconnect:DeleteVirtualInterface",
"directconnect:DescribeConnections",
"directconnect:DescribeDirectConnectGatewayAssociations",
"directconnect:DescribeDirectConnectGatewayAttachments",
"directconnect:DescribeDirectConnectGateways",
"directconnect:DescribeHostedConnections",
"directconnect:DescribeTags",
"directconnect:DescribeVirtualGateways",
"directconnect:DescribeVirtualInterfaces",
"directconnect:TagResource",
"directconnect:UntagResource",
"directconnect:UpdateConnection",
"directconnect:UpdateDirectConnectGatewayAssociation"
],
"Resource": "*"
}
Create AWS Service Accounts
You can use the AWS Cloud Formation Template to create service accounts in AWS to provision F5® Distributed Cloud Services AWS TGW site.
Perform the following steps:
Note: The AWS Command Line Interface is required. See AWS CLI for more information.
Step 1: Create stack using the cloud formation template for AWS VPC site.
Use aws cloudformation create-stack
command to create the stack. The following is an example:
aws cloudformation create-stack --stack-name <STACK_NAME> \
--template-body file://./aws-tgw-site-service-account.yaml \
--parameters file://./parameters.json --capabilities CAPABILITY_NAMED_IAM
The following list provides field description for the above command:
STACK_NAME
- The name associated with the AWS Cloud Formation stack. For example, f5dcs-tgw-policy.template-body
- use AWS Cloud Formation TemplateParameters
- The parameters JSON file contains the list of parameters passed to the AWS Cloud Formation template.Capabilities
- Required capabilities to create the AWS Cloud Formation stack.
Note: Update the password in
parameters.json
file.
Step 2: Obtain details of stack created.
Use the aws cloudformation describe-stack
command to obtain the details of the stack created in Step 1:
aws cloudformation describe-stacks --stack-name <STACK_NAME>
The STACK_NAME
is the name provided in Step 1. The above command returns a JSON file which provides information about the user created by the AWS Cloud Formation template. Note down the Access Key and the Secret Key from the outputs section of the returned JSON.
The Access Key and the Secret Key can be used to create the AWS Programmatic Access Credentials
on F5® Distributed Cloud Console. See AWS Cloud Credentials for more information.
F5 Distributed Cloud Assume Role
You can also delegate permissions to F5 Distributed Cloud services to assume a role so that F5 Distributed Cloud can use its own credentials deploy AWS TGW Site on behalf of you. This requires you to create an AWS Assume Role in the IAM section of AWS Console and delegate it to F5 Distributed Cloud using the following steps:
Step 1: Obtain service account and keys required for the assume role.
Keep the following ready:
- F5 Distributed Cloud AWS Account Number
- Your F5 Distributed Cloud Tenant ID
Note: Request the F5 AWS account number using a support ticket.
Step 2: Create AWS assume role with the custom trust policy.
- On AWS Console, go to
IAM
>Roles
. ChooseCreate Role
and start creating the assume role. - Select
Custom trust policy
and add the following JSON:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<account-number>:root"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": [
"<tenant_id>"
]
}
}
},
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<account-number>:root"
},
"Action": "sts:TagSession"
}
]
}
Note: Replace
<account-number>
with the F5 Distributed Cloud AWS account and<tenant_id>
with your F5 Distributed Cloud tenant ID.
Step 3: Add permissions and complete creating the role.
-
In the role creation wizard, choose
Next
and select or create inline policy for AWS VPC Site deployment permissions. See AWS VPC Site Policies for required permissions. -
Complete creating the role and copy the created
role_arn
, and configure it in the cloud credentials in F5 Distributed Cloud Console. See AWS Cloud Credentials for more information. -
F5 Distributed Cloud will deploy resources into your account using credentials obtained from the regional STS endpoint, not the global one. Ensure the regional STS endpoint for the region you wish to deploy to is enabled on the AWS IAM Account Settings page.