You must use the policies on this page to grant the permissions that Cloud Manager needs to deploy and manage ONTAP Cloud systems in Amazon Web Services (AWS) and Microsoft Azure.
IAM policies are required when using Cloud Manager and ONTAP Cloud in AWS. The following policies are available for the latest release.
|IAM policy||When to use||More information|
|NetApp Cloud Data Services||When launching Cloud Manager in AWS using NetApp Cloud Data Services.||You must attach this policy to the IAM user that you use to deploy Cloud Manager from NetApp Cloud Data Services.|
|Cloud Manager||When you cannot launch Cloud Manager in AWS from NetApp Cloud Data Services but you want to launch ONTAP Cloud systems in AWS.||If you do not deploy Cloud Manager from NetApp Cloud Data Services, then you must provide Cloud Manager with the permissions that it needs to launch and manage ONTAP Cloud systems in AWS. You can grant the permissions in one of two ways: |
|ONTAP Cloud nodes||When launching ONTAP Cloud in C2S or when you want to create your own policy.||Creating an IAM policy and role for ONTAP Cloud is required in the AWS Commercial Cloud Services Environment. It is optional in other regions because Cloud Manager can do it for you.|
|ONTAP Cloud HA mediator||When launching ONTAP Cloud HA pairs in C2S or when you want to create your own policy.||Creating an IAM policy and role for the ONTAP Cloud HA mediator is required in the AWS Commercial Cloud Services Environment. It is optional in other regions because Cloud Manager can do it for you.|
For more information about using these policies with Cloud Manager, see the OnCommand Cloud Manager Documentation Center.
You must use one of the following policies to create a custom role in Azure RBAC:
For information about custom roles, refer to the following Azure documentation: Custom Roles in Azure RBAC.
After you create the custom role, you must assign it to an Active Directory service principal. For more information, see the OnCommand Cloud Manager Documentation Center.