Prepare AWS Account - Provisioning Your Account with required Nucleator IAM Roles

How to ask Nucleator to help you to install required IAM Roles using your IAM User Credentials, so that Nucleator can work securely on your behalf while provisioning and configuration Cages and Stacksets. How, when and why you use IAM User Credentials with Nucleator.
Icon
  • List and review Roles and Policies required for your Stacksets
  • Provision Roles in each Account where you would like Nucleator to work on your behalf
  • Validate that Nucleator can use the provisioned Roles in each target Account
Icon
See also nucleator-account-rolespec in the Nucleator CLI Reference.

List and Review Roles and Policies Required for your Stacksets

In order to securely interact with your AWS account, each Nucleator Stackset requires that a set of IAM Roles that the Stackset defines exist within your Account with specific Security Policies.  These Roles provide the minimal set of permissions that the Stackset requires to function as intended.  You can review each Role and its required Policies prior to creating the Roles within your Account. The Nucleator CLI can generate a list of all of the Roles expected by the Stacksets that you have installed.

Review Roles specified by your installed Stacksets

Icon
  •  Review the list of roles:
nucleator account rolespec list
  • Review the detailed policy for a specified role:
nucleator account rolespec list --rolename <rolename>

Nucleator Stacksets include independent Roles for each Operation undertaken by the Stackset.  The policies for each of these Roles are minimally permissive and cover only those permissions required to undertake the corresponding Operation for that Stackset.  For example, the beanstalk Stackset includes distinct Roles for:

If you would like to preclude Nucleator from certain operations (e.g. delete), you can elect not to provision the corresponding Roles within your Account.

Provision Roles in Each Account Where You Would Like Nucleator to Work on Your Behalf

Nucleator can use IAM User Credentials that you provide to provision the Roles and Policies described by nucleator account rolespec list within your AWS Account.  The IAM User Credentials need to provide only the limited set of IAM permissions that are required to create the Roles and Policies.  Previously these permisisons were granted to an IAM User NucleatorUser as described in Establish IAM Users and Minimal Configuration in New AWS Account.  You provide the IAM User Credentials in the customer credentials file within your Nucleator config.

For Nucleator Stacksets to function as intended, you must provision all of the Roles specified by a Stackset in each Account where that Stackset will be used.

While it is convenient to use Nucleator to provision the required Roles on your behalf, you can also create each required Role manually using the AWS Management Console.

Provision Roles specified by your currently installed Stacksets

Icon
  • For each Account, for each Customer where you intend to use Nucleator Stacksets:
nucleator account rolespec provision --account <account_friendly_name> --customer <customer_name>

Validate That Nucleator Can Use the Provisioned Roles in Each Target Account

 Nucleator uses trust policies specified in the Nucleator Roles to enable seamless cross-Account operations by a trusted Principal in a specified "control" Account. This Principal is trusted by Nucleator Roles that require cross-Account access, in each of a Customer's Accounts where those Roles have been provisioned.  Nucleator defines a NucleatorAgent Role that acts as this trusted Principal.  Nucleator Role trust the NucleatorAgent Principal in the Account that has been configured to contain a Customer's build Cage.

While nothing in Nucleator's design for cross-Account operations would preclude it, Nucleator does not currently support cross-Account operations that span different Nucleator Customers. That is, it is not currently possible to use Nucleator config to specify one Customer's intent to trust a NucleatorAgent Principal that is provisioned in a different Customer's Account.  Cross-Account operations are supported for all Accounts assoicated with a single Nucleator Customer.

Nucleator performs cross-Account Operations by assuming each of the Roles specified by the Nucleator Stacksets.

To ensure that Roles have been provisioned correctly, Nucleator can validate its ability to assume each of the IAM Roles specified by each of the currently installed Stacksets.  Nucleator must be able to assume each of these Roles in each of the Accounts that are specified in the Customer's configuration.

Validate Nucleator's ability to assume Roles

Icon
  • Validate all specified Roles in all of a Customer's configured Accounts:
nucleator account rolespec validate --customer 47lining 

 

Nucleator can validate Roles for all of a specified Customer's Accounts, or just a specified Account.  If no Account is specified as a filter, Nucleator validates all Accounts within the specified Customer's configuration.

nucleator account rolespec validate --account test1 --customer 47lining

 

Nucleator can validate all of the Roles for all of the Nucleator commands that are currently installed, or just the Roles for a specified command.  If no command is specified as a filter, Nucleator validates all commands that are currently installed.

nucleator account rolespec validate --command redshift --customer 47lining

 

Nucleator can also validate just a specific role name.

nucleator account rolespec validate --rolename BeanstalkServiceRunner --customer 47lining
 

 

Next: Prepare AWS Account - Use Nucleator to Automatically Create Prerequisite AWS Resources in Account


Installation Documentation Releases License Community