Provisioning IAM Objects Needed for Metworx 20.x Deployment


This document outlines the steps associated with provisioning IAM objects for Metworx purposes.

Relevant Metworx Version(s)

The process outlined below pertains only to Metworx 20.x series workflows, so from Metworx 20.03 onward.

Relevant IAM Objects

There are 3 IAM objects that are needed to run Metworx and their purpose and policies are summarized in the table below.

The current set of AWS policies are a "superset" and are compatible with Metworx Workflows 20.03 and beyond.

IAM Object Description Custom Policy Custom Policy Summary AWS Managed Policy
AWS IAM Service User A service user whose credentials are used by metworx gui application to connect to customer-owned AWS Accounts Service User Policy 2021 03 23 22 40 26
AWS IAM EC2 service role IAM role that Metworx cluster ec2 instances assume when running EC2 Role Policy cluster node IAM role AmazonSSMManagedInstanceCore
AWS IAM Role for MetrumRG Metworx Support The read-only role grants Metworx Support access to logs and general configuration information, but not DATA. SupportUser AmazonEC2ReadOnlyAccess CloudWatchLogsReadOnlyAccess AWSCloudTrailReadOnlyAccess AWSSupportAccess AWSCloudFormationReadOnlyAccess

NOTE: For the customers that opt in for a fully-supported solution, the Support Role would have full admin rights.

Steps to Create the Required IAM Object

  1. Login to the AWS Account that will host the Metworx Workflows. Make sure that you are in the same region as will be used by Metworx workflows.
  2. Use the link below to Launch The CloudFormation Stack, and click Next Launch CloudFormation Template CreateStack1
  3. You can accept all of the defaults for Stack Name, IAM Role Name and IAM username -- or provide your own.

    • If you will host dev, staging and prod environments in the same AWS account, make sure to modify the names of these resources to ensure uniqueness.
    • To grant MetrumRG Metworx Support Role FULL admins rights, please select 'true' for GrantFullAdminToSupportRole parameter.
  4. Click "Next" to accept all other defaults. StackParameters
  5. Click "Next" to also accept all of the default Stack options.
  6. At the bottom of the "Review" page, accept "Capabilities" to acknowledge that you will be creating IAM object, and click on "Create Stack" 2020 05 10 17 08 09
  7. Monitor stack creation to make sure it is successful by refreshing events. After a couple of minutes the stack should finish creating. StackCreationMonitor

Associated Step-by-Step Video

Linked is a Step-by-Step Video walking you through the steps outlined above.