OnCommand Cloud Manager policies for AWS and Azure

You must use the policies on this page to grant the permissions that Cloud Manager needs to deploy and manage ONTAP Cloud systems in Amazon Web Services (AWS) and Microsoft Azure.

AWS

IAM policy for Cloud Manager

You must use an IAM policy to grant permissions by doing one of the following:

  • Attach the IAM policy to an IAM role, and then associate the IAM role with the Cloud Manager instance when you launch it in AWS.
  • Attach the IAM policy to IAM users or groups, and then specify the AWS access keys for those IAM users when you create Cloud Manager user accounts.

The following policies are available for Cloud Manager 3.3 and later:

Cloud Manager policies for previous releases ▾

 

IAM policies for ONTAP Cloud nodes and the HA mediator

Creating an IAM policy and role for ONTAP Cloud is required in the AWS Commercial Cloud Services Environment. It is optional in other regions.

ONTAP Cloud nodes and the HA mediator require permissions for S3 capacity tiering and HA management. In the AWS Commercial Cloud Services Environment, you must create the policy and role yourself. In standard AWS regions and in GovCloud, you can let Cloud Manager create the policy and role for you when you launch ONTAP Cloud systems. However, advanced users can use the policies below to create their own IAM policies and roles.

More information

For more information about IAM policies, refer to the following AWS documentation: Overview of IAM Policies and Managing IAM Policies.

For more information about using these policies with Cloud Manager, see the OnCommand Cloud Manager Documentation Center.

Azure

You must use one of the following policies to create a custom role in Azure RBAC:

For information about custom roles, refer to the following Azure documentation: Custom Roles in Azure RBAC.

After you create the custom role, you must assign it to an Active Directory service principal. For more information, see the OnCommand Cloud Manager Documentation Center.