Provisioning IAM Objects needed for Metworx 20.x Deployment

Step-by-Step Video

There are 3 IAM objects that are needed to run Metworx and their purpose and policies are summarized in a table below. NOTE: Current set of AWS policies are a "superset" and are compatible with Metworx Workflows Performance 3.5 through metworx-20.12

IAM Object Description Custom Policy Custom Policy Summary AWS Managed Policy
AWS IAM Service User A service user whose credentials are used by metworx gui application to connect to customer-owned AWS Accounts Service User Policy 2021 03 23 22 40 26
AWS IAM EC2 service role IAM role that Metworx cluster ec2 instances assume when running EC2 Role Policy cluster node IAM role AmazonSSMManagedInstanceCore
AWS IAM Role for MetrumRG Metworx Support The read-only role grants Metworx Support access to logs and general configuration information, but not DATA. SupportUser AmazonEC2ReadOnlyAccess CloudWatchLogsReadOnlyAccess AWSCloudTrailReadOnlyAccess AWSSupportAccess AWSCloudFormationReadOnlyAccess

Note: For the customers that opt in for a fully-supported solution, the Support Role would have full admin rights.

To create these IAM Objects:

  1. Login to the AWS Account that will host the Metworx Workflows. Make sure that you are in the same region as will be used by Metworx workflows.
  2. Use the link below to Launch The CloudFormation Stack, and click Next Launch CloudFormation Template CreateStack1

  3. You can accept all of the defaults for Stack Name, IAM Role Name and IAM username -- or provide your own.

    • If you will host dev, staging and prod environment in the same AWS account, make sure to modify the names of these resources to ensure uniqueness.
    • To grant MetrumRG Metworx Support Role FULL admins rights, please select 'true' for GrantFullAdminToSupportRole parameter.
  4. Click "Next" to accept all other defaults. StackParameters
  5. Click Next to also accept all of the default Stack options.
  6. All the way at the bottom of the "Review" page, accept "Capabilities" to acknowledge that you will be creating IAM object, and click on "Create Stack" 2020 05 10 17 08 09
  7. Monitor stack creation to make sure it is successful by refreshing events. After a couple of minutes the stack should finish creating. StackCreationMonitor