Overlay IP address IAM roles and policies

Overlay IP with shared Amazon VPC

Using the overlay IP agent with a shared Amazon VPC requires a different set of IAM permissions to be granted on both AWS accounts (sharing and consumer). The cluster resource agent aws-vpc-move-ip also uses a different configuration syntax.

Overlay IP address

Create an overlay IP address on the Amazon VPC routing table which will be used by the Amazon VPC subnets and will be accessible to the cluster. This must be created on the AWS account sharing the Amazon VPC.

IAM roles and policies

Amazon VPC account

Create an IAM role to delegate permissions to the Amazon EC2 instances that will be a part of the cluster. When creating the IAM role, select Another AWS account for the type of trusted entity and enter the AWS Account ID where the Amazon EC2 instances will be deployed.

Create the following IAM policy on the Amazon VPC account and attach it to the IAM role. Add or remove route table entries as needed.



{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": “ec2:ReplaceRoute”,
            "Resource": [
			"arn:aws:ec2:<AWS Region>:<VPC-Account-Number>:route-table/rtb-xxxxxxxxxxxxxxxxx",
			"arn:aws:ec2:<AWS Region>:<VPC-Account-Number>:route-table/rtb-xxxxxxxxxxxxxxxxx"
			],
        },
        {
            "Effect": "Allow",
            "Action": “ec2:DescribeRouteTables”,
            "Resource": “*”
        }
    ]
}

Cluster account

Create a new IAM role and select Amazon EC2 as the use case. Associate this IAM role to the two Amazon EC2 instances which are a part of the cluster. Attach the following IAM policies (AWS STS and STONITH) to the IAM role.

AWS STS policy



{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "sts:AssumeRole",
            "Resource": "arn:aws:iam::<VPC-Account-Number>:role/<Sharing-VPC-Account-Cluster-Role>"
        }
    ]
}

Replace VPC-Account-Number with your AWS account number that owns the Amazon VPC. Replace Sharing-VPC-Account-Cluster-Role with the IAM role that was created in the AWS account owning the Amazon VPC.

STONITH policy

Both instances of the cluster require access to start and stop other nodes within the cluster. Create the following STONITH policy and attach it to the IAM role that is assigned to both of the cluster instances.



{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeInstances",
                "ec2:DescribeInstanceAttribute",
                "ec2:DescribeTags"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:ModifyInstanceAttribute",
                "ec2:RebootInstances",
                "ec2:StartInstances",
                "ec2:StopInstances"
            ],
            "Resource": [
                "arn:aws:ec2:<Region-name>:<account-id>:instance/<instance-id>",
                "arn:aws:ec2: <Region-name>:<account-id>:instance/<instance-id>"
            ]
        }
    ]
}

Replace Region-name, account-id, and instance-id with the appropriate values.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

High availability cluster and shared Amazon VPC

High availability cluster setup