AWS VPC

Objective

This document explains the various types of required policies that grant permissions for users to create or modify resources as part of deploying F5® Distributed Cloud Sites on AWS. This document also provides instructions to create a service account using the AWS cloud formation templates.

AWS VPC Site Policies

The required policies are managed using the AWS IAM service. Log into AWS console and navigate to IAM dashboard. Select Access Management -> Users. Select a user for which the policies need to be applied to grant permissions for deploying AWS cloud resources. In the Permissions tab, click Add permissions to add the required permissions listed in the following chapters. You can open an attached group and select the JSON view to check and ensure that correct permissions are applied.

The following is the JSON view of the required policy and permissions to deploy AWS VPC site:

          {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
               "autoscaling:AttachLoadBalancerTargetGroups",
               "autoscaling:AttachLoadBalancers",
               "autoscaling:CreateAutoScalingGroup",
               "autoscaling:CreateLaunchConfiguration",
               "autoscaling:DeleteAutoScalingGroup",
               "autoscaling:DeleteLaunchConfiguration",
               "autoscaling:DescribeAutoScalingGroups",
               "autoscaling:DescribeLaunchConfigurations",
               "autoscaling:DescribeLoadBalancerTargetGroups",
               "autoscaling:DescribeLoadBalancers",
               "autoscaling:DetachLoadBalancerTargetGroups",
               "autoscaling:DetachLoadBalancers",
               "autoscaling:DisableMetricsCollection",
               "autoscaling:EnableMetricsCollection",
               "autoscaling:ResumeProcesses",
               "autoscaling:SuspendProcesses",
               "autoscaling:UpdateAutoScalingGroup"
            ],
            "Resource": "*",
            "Effect": "Allow",
            "Sid": "AutoScalingPermissions"
        },
        {
            "Action": [
               "ec2:AllocateAddress",
               "ec2:AssignPrivateIpAddresses",
               "ec2:AssociateAddress",
               "ec2:AssociateIamInstanceProfile",
               "ec2:AssociateRouteTable",
               "ec2:AssociateSubnetCidrBlock",
               "ec2:AssociateVpcCidrBlock",
               "ec2:AttachInternetGateway",
               "ec2:AttachNetworkInterface",
               "ec2:AttachVpnGateway",
               "ec2:AuthorizeSecurityGroupEgress",
               "ec2:AuthorizeSecurityGroupIngress",
               "ec2:CreateCustomerGateway",
               "ec2:CreateInternetGateway",
               "ec2:CreateNetworkInterface",
               "ec2:CreateRoute",
               "ec2:CreateRouteTable",
               "ec2:CreateSecurityGroup",
               "ec2:CreateSubnet",
               "ec2:CreateTags",
               "ec2:CreateVpc",
               "ec2:CreateVpnConnection",
               "ec2:CreateVpnConnectionRoute",
               "ec2:CreateVpnGateway",
               "ec2:DeleteClientVpnEndpoint",
               "ec2:DeleteClientVpnRoute",
               "ec2:DeleteCustomerGateway",
               "ec2:DeleteInternetGateway",
               "ec2:DeleteNetworkInterface",
               "ec2:DeleteRoute",
               "ec2:DeleteRouteTable",
               "ec2:DeleteSecurityGroup",
               "ec2:DeleteSubnet",
               "ec2:DeleteTags",
               "ec2:DeleteVpc",
               "ec2:DeleteVpnConnection",
               "ec2:DeleteVpnGateway",
               "ec2:DescribeAccountAttributes",
               "ec2:DescribeAddresses",
               "ec2:DescribeClientVpnConnections",
               "ec2:DescribeClientVpnEndpoints",
               "ec2:DescribeCustomerGateways",
               "ec2:DescribeIamInstanceProfileAssociations",
               "ec2:DescribeImages",
               "ec2:DescribeInstanceAttribute",
               "ec2:DescribeInstanceCreditSpecifications",
               "ec2:DescribeInstanceTypes",
               "ec2:DescribeInstances",
               "ec2:DescribeInternetGateways",
               "ec2:DescribeNetworkAcls",
               "ec2:DescribeNetworkInterfaces",
               "ec2:DescribeRouteTables",
               "ec2:DescribeSecurityGroups",
               "ec2:DescribeSubnets",
               "ec2:DescribeTags",
               "ec2:DescribeVolumes",
               "ec2:DescribeVolumesModifications",
               "ec2:DescribeVpcAttribute",
               "ec2:DescribeVpcClassicLink",
               "ec2:DescribeVpcClassicLinkDnsSupport",
               "ec2:DescribeVpcs",
               "ec2:DescribeVpnConnections",
               "ec2:DescribeVpnGateways",
               "ec2:DetachInternetGateway",
               "ec2:DetachNetworkInterface",
               "ec2:DetachVpnGateway",
               "ec2:DisableVgwRoutePropagation",
               "ec2:DisassociateAddress",
               "ec2:DisassociateIamInstanceProfile",
               "ec2:DisassociateRouteTable",
               "ec2:DisassociateSubnetCidrBlock",
               "ec2:DisassociateVpcCidrBlock",
               "ec2:EnableVgwRoutePropagation",
               "ec2:GetPasswordData",
               "ec2:ModifyInstanceAttribute",
               "ec2:ModifyInstanceCreditSpecification",
               "ec2:ModifyInstanceMetadataOptions",
               "ec2:ModifyNetworkInterfaceAttribute",
               "ec2:ModifySubnetAttribute",
               "ec2:ModifyVolume",
               "ec2:ModifyVpcAttribute",
               "ec2:ModifyVpnConnection",
               "ec2:ModifyVpnConnectionOptions",
               "ec2:MonitorInstances",
               "ec2:ReleaseAddress",
               "ec2:ReplaceIamInstanceProfileAssociation",
               "ec2:ReplaceRoute",
               "ec2:ReplaceRouteTableAssociation",
               "ec2:RevokeSecurityGroupEgress",
               "ec2:RevokeSecurityGroupIngress",
               "ec2:RunInstances",
               "ec2:StartInstances",
               "ec2:StopInstances",
               "ec2:TerminateInstances",
               "ec2:UnassignPrivateIpAddresses",
               "ec2:UnmonitorInstances"
            ],

            "Resource": "*",
            "Effect": "Allow",
            "Sid": "EC2Permissions"

          },
          {
            "Action": [
               "elasticloadbalancing:AddTags",
               "elasticloadbalancing:CreateListener",
               "elasticloadbalancing:CreateLoadBalancer",
               "elasticloadbalancing:CreateTargetGroup",
               "elasticloadbalancing:DeleteListener",
               "elasticloadbalancing:DeleteLoadBalancer",
               "elasticloadbalancing:DeleteTargetGroup",
               "elasticloadbalancing:DeregisterTargets",
               "elasticloadbalancing:DescribeInstanceHealth",
               "elasticloadbalancing:DescribeListeners",
               "elasticloadbalancing:DescribeLoadBalancerAttributes",
               "elasticloadbalancing:DescribeLoadBalancers",
               "elasticloadbalancing:DescribeTags",
               "elasticloadbalancing:DescribeTargetGroupAttributes",
               "elasticloadbalancing:DescribeTargetGroups",
               "elasticloadbalancing:DescribeTargetHealth",
               "elasticloadbalancing:ModifyListener",
               "elasticloadbalancing:ModifyLoadBalancerAttributes",
               "elasticloadbalancing:ModifyTargetGroup",
               "elasticloadbalancing:ModifyTargetGroupAttributes",
               "elasticloadbalancing:RegisterTargets",
               "elasticloadbalancing:RemoveTags"
            ],

            "Resource": "*",
            "Effect": "Allow",
            "Sid": "ELBPermissions"
        },
        {
          "Action": [
               "iam:AddRoleToInstanceProfile",
               "iam:AttachRolePolicy",
               "iam:CreateInstanceProfile",
               "iam:CreatePolicy",
               "iam:CreatePolicyVersion",
               "iam:CreateRole",
               "iam:CreateServiceLinkedRole",
               "iam:DeleteInstanceProfile",
               "iam:DeletePolicy",
               "iam:DeletePolicyVersion",
               "iam:DeleteRole",
               "iam:DeleteRolePermissionsBoundary",
               "iam:DeleteRolePolicy",
               "iam:DetachRolePolicy",
               "iam:GetInstanceProfile",
               "iam:GetPolicy",
               "iam:GetPolicyVersion",
               "iam:GetRole",
               "iam:ListAttachedRolePolicies",
               "iam:ListInstanceProfilesForRole",
               "iam:ListPolicyVersions",
               "iam:ListRolePolicies",
               "iam:PassRole",
               "iam:PutRolePermissionsBoundary",
               "iam:RemoveRoleFromInstanceProfile",
               "iam:TagPolicy",
               "iam:TagInstanceProfile",
               "iam:TagRole",
               "iam:UpdateAssumeRolePolicy",
               "iam:UpdateRole",
               "iam:UpdateRoleDescription"
          ],
          "Resource": "*",
          "Effect": "Allow",
          "Sid": "IAMPermissions"
      }
    ]
  }

        

In case you are using AWS Direct Connect, ensure that you set the following policies, in addition the above policies:

          
         {
           "Action": [
               "directconnect:AllocateHostedConnection",
               "directconnect:AllocatePrivateVirtualInterface",
               "directconnect:AllocatePublicVirtualInterface",
               "directconnect:AssociateHostedConnection",
               "directconnect:AssociateVirtualInterface",
               "directconnect:ConfirmConnection",
               "directconnect:ConfirmPrivateVirtualInterface",
               "directconnect:ConfirmPublicVirtualInterface",
               "directconnect:CreateConnection",
               "directconnect:CreateDirectConnectGateway",
               "directconnect:CreateDirectConnectGatewayAssociation",
               "directconnect:CreatePrivateVirtualInterface",
               "directconnect:CreatePublicVirtualInterface",
               "directconnect:DeleteConnection",
               "directconnect:DeleteDirectConnectGateway",
               "directconnect:DeleteDirectConnectGatewayAssociation",
               "directconnect:DeleteVirtualInterface",
               "directconnect:DescribeConnections",
               "directconnect:DescribeDirectConnectGatewayAssociations",
               "directconnect:DescribeDirectConnectGatewayAttachments",
               "directconnect:DescribeDirectConnectGateways",
               "directconnect:DescribeHostedConnections",
               "directconnect:DescribeTags",
               "directconnect:DescribeVirtualGateways",
               "directconnect:DescribeVirtualInterfaces",
               "directconnect:TagResource",
               "directconnect:UntagResource",
               "directconnect:UpdateConnection",
               "directconnect:UpdateDirectConnectGatewayAssociation"
            ],
            "Resource": "*"
          }

        

Create AWS Service Accounts

You can use the AWS Cloud Formation Template to create service accounts in AWS to provision F5 Distributed Cloud Services AWS VPC Site.

The following video tutorial shows how to create a GCP role and apply to service account:

Perform the following steps:

Note: The AWS Command Line Interface is required. See AWS CLI for more information.

Step 1: Create stack using the cloud formation template for AWS VPC site.

Use aws cloudformation create-stack command to create the stack. The following is an example:

           aws cloudformation create-stack --stack-name <STACK_NAME> \
 --template-body file://./aws-tgw-site-service-account.yaml \
 --parameters file://./parameters.json --capabilities CAPABILITY_NAMED_IAM

        

The following list provides field description for the above command:

  • STACK_NAME - The name associated with the AWS Cloud Formation stack. For example, f5dcs-tgw-policy.
  • template-body - use AWS Cloud Formation Template
  • Parameters - The parameters JSON file contains the list of parameters passed to the AWS Cloud Formation template.
  • Capabilities - Required capabilities to create the AWS Cloud Formation stack.

Note: Update the password in parameters.json file.

Step 2: Obtain details of stack created.

Use the aws cloudformation describe-stack command to obtain the details of the stack created in Step 1:

          aws cloudformation describe-stacks --stack-name <STACK_NAME>

        

The STACK_NAME is the name provided in Step 1. The above command returns a JSON file which provides information about the user created by the AWS Cloud Formation template. Note down the Access Key and the Secret Key from the outputs section of the returned JSON.

The Access Key and the Secret Key can be used to create the AWS Programmatic Access Credentials on F5® Distributed Cloud Console. See AWS Cloud Credentials for more information.

F5 Distributed Cloud Assume Role

You can also delegate permissions to F5 Distributed Cloud services to assume a role so that F5 Distributed Cloud can use its own credentials deploy AWS VPC Site on behalf of you. This requires you to create a role in the IAM section of AWS Console and delegate it to F5 Distributed Cloud using the following steps:

Step 1: Obtain service account and keys required for the assume role.

Keep the following ready:

  • F5 Distributed Cloud AWS Account Number
  • Your F5 Distributed Cloud Tenant ID

Note: Request for F5 AWS account number using a support ticket.

Step 2: Create AWS assume role with the custom trust policy.
  • On AWS Console, go to IAM > Roles. Choose Create Role and start creating the assume role.
  • Select Custom trust policy and add the following JSON:
          {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::<account-number>:root"
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "StringEquals": {
                    "sts:ExternalId": [
                        <tenant_id>
                    ]
                }
            }
        },
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::<account-number>:root"
            },
            "Action": "sts:TagSession"
        }
    ]
}

        

Note: Replace <account-number> with the F5 Distributed Cloud AWS account and <tenant_id> with your F5 Distributed Cloud tenant ID.

Step 3: Add permissions and complete creating the role.
  • In the role creation wizard, choose Next and select or create inline policy for AWS VPC Site deployment permissions. See Permissions for required permissions.

  • Complete creating the role and copy the created role_arn, and configure it in the cloud credentials in F5 Distributed Cloud Console. See AWS Cloud Credentials for more information.