Configuring STS Role Authentication Using an Admin Account ARN

You can configure STS role authentication using an admin account ARN.

Procedure

1. Log on to the AWS console, using the admin account.

2. Create an IAM role to assume a role in a given account:

   1. Create the role.

      For example, create a role called vsa_assume_role.

   2. To the role, attach a policy that has the sts:AssumeRole permissions.

   3. Assign the role to the Amazon EC2 access node.

3. Create another IAM role to define a set of permissions for making AWS service requests:

   1. Create the role.

      For example, create a role called vsa_role.

   2. Attach the policy that is required for backups and restores.

4. Download the amazon_restricted_role_permissions.json file, and attach it to the policy that is required for backups and restores.

5. To the role that you created in step 3, add the admin account ID (Self) as a trusted entity.

   

What to Do Next

When you create an Amazon EC2 hypervisor, specify the admin account role ARN for the role that you created above in step 3 (for example, vsa_role).

Related Topics

• For more information about assigning AWS user permissions by creating a policy, see Overview of IAM Policies on the AWS documentation site.

• For more information about editing trust relationships, see Modifying a Role Trust Policy on the AWS documentation site.