OnCommand Cloud Manager policies for AWS and Azure

You must use the policies on this page to grant the permissions that Cloud Manager needs to deploy and manage ONTAP Cloud systems in Amazon Web Services (AWS) and Microsoft Azure.

AWS

IAM policies are required when using Cloud Manager and ONTAP Cloud in AWS. The following policies are available for the latest release.

IAM policy When to use More information
NetApp Cloud Central When launching Cloud Manager in AWS using NetApp Cloud Central. You must attach this policy to the IAM user that you use to deploy Cloud Manager from NetApp Cloud Central.
Cloud Manager When you cannot launch Cloud Manager in AWS from NetApp Cloud Central but you want to launch ONTAP Cloud systems in AWS. If you do not deploy Cloud Manager from NetApp Cloud Central, then you must provide Cloud Manager with the permissions that it needs to launch and manage ONTAP Cloud systems in AWS. You can grant the permissions in one of two ways:
  • Attach the policy to an IAM role, and then attach the role to the Cloud Manager instance in AWS.
  • Attach the policy to IAM users or groups, and then specify the AWS access keys for those IAM users when setting up Cloud Manager user accounts.
ONTAP Cloud nodes When launching ONTAP Cloud in C2S or when you want to create your own policy. Creating an IAM policy and role for ONTAP Cloud is required in the AWS Commercial Cloud Services Environment. It is optional in other regions because Cloud Manager can do it for you.
ONTAP Cloud HA mediator When launching ONTAP Cloud HA pairs in C2S or when you want to create your own policy. Creating an IAM policy and role for the ONTAP Cloud HA mediator is required in the AWS Commercial Cloud Services Environment. It is optional in other regions because Cloud Manager can do it for you.

Policies for previous releases ▾

For more information about IAM policies, refer to the following AWS documentation: Overview of IAM Policies and Managing IAM Policies.

For more information about using these policies with Cloud Manager, go to NetApp Docs: Granting AWS permissions.

Azure

The following policy is available for creating a custom role in Azure RBAC:

Azure policy for Cloud Manager 3.4.5 and later

 

Policies for previous releases ▾

For information about custom roles, refer to the following Azure documentation: Custom Roles in Azure RBAC.

After you create the custom role, you must assign it to an Active Directory service principal. For more information, go to NetApp Docs: Granting Azure permissions to Cloud Manager.