4.1-Creating the IAM Role
Last updated
Last updated
The first "service console" we'll open is the IAM console (IAM is in the Security, Identity, & Compliance section), which is region-agnostic.
You'll find the "Roles" option in the menu to the left :
Choose this link, then use the big blue "Create Role" button at the top, and you'll have a 4-steps process to follow...
Click :
the "AWS service" block under Select Type of trusted entity
the "EC2" block under Choose the service that will use this role
Then click the big blue "Next: Permissions" button at the bottom (to step 2)...
I already had some policies and roles defined in this account, which is why I had to blur specifics
Use the search filter box above the list of permission policies to locate and put a ✅ check mark on these 2 policies provided by AWS :
AmazonEC2FullAccess (search for "ec2fu")
AmazonS3FullAccess (search for "s3fu")
Then click the blue "Next: Tags" button at the bottom (to step 3)...
We don't need tagging, so just click the blue "Next: Review" button at the bottom (to step 4)...
Give a name to your new role (i suggest "configuration name"-ec2role as shown above) and verify you have correctly included the 2 policies.
Then hit the blue "Creale Role" button and you're done.
You have just created an IAM Role, that you'll assign to your OpenVPN server later on, so that it can access the EC2 and S3 services on your behalf at startup, without restriction.
Your server will need that to :
auto-configure itself during startup (setting network options in the EC2 service)
download configuration parameters and scripts from S3
without the need of passwords (=> 👍 safe parameter files and scripts 👍 )
Note: This IAM Role could have been defined with restricted, custom-specified permissions, both in EC2 and S3, rather than "Full Access", but that would be too complex to explain here. Also if you connect to your server in an interactive terminal, you'll be happy to have access to the full EC2 and S3 APIs from there without restriction or needing an access key or password.
