Configuring Security Token Service (STS) Role Authentication Using an Admin Account Access Resource Name (ARN)

You can configure STS role authentication using an admin account ARN.

Procedure

1. Log on to the AWS console, using the admin account.

2. Create an IAM role to assume a role in a given account:

   1. Create the role.

      For example, create a role called vsa_assume_role.

   2. To the role, attach a policy that has the sts:AssumeRole permissions.

   3. Assign the role to the VSA access node.

3. Create another IAM role to define a set of permissions for making AWS service requests:

   1. Create the role.

      For example, create a role called vsa_role.

   2. Attach the policy that is required for backups and restores.

4. Download the amazon_restricted_role_permissions.json file, and attach it to the policy that is required for backups and restores.

5. To the role that you created in step 3, add the admin account ID (Self) as a trusted entity.

   

What to Do Next

When you add an Amazon hypervisor, specify the admin account role ARN for the role created in step 3a (for example, vsa_role).

Related Topics

• For instructions about adding an Amazon hypervisor, see Adding an Amazon Hypervisor.

• For more information about assigning Amazon user permissions by creating a policy, see Overview of IAM Policies on the AWS documentation site.

• For more information about editing trust relationships, see Modifying a Role Trust Policy Modifying a Role Trust Policy on the AWS documentation site.