NEW - You can now accelerate your migration and modernization with AWS Transform. Read [Getting Started](https://docs.aws.amazon.com/transform/latest/userguide/getting-started.html) in the *AWS Transform User Guide*. # IAM roles needed for the MGN connector IAM roles for connector To use MGN connector you must have these required IAM roles for individual accounts and AWS Organizations networks: + **MGNConnectorInstallerRole** + **AWSApplicationMigrationConnectorManagementRole** + **AWSApplicationMigrationConnectorSharingRole\$1*management-account-id*** Needed in an individual account. Also needed in an organization, on *every* account, including the management account. **Individual account: **For an MGN connector in an individual account, create these roles as described in [Create roles manually](create-permissions-manually.md). **Multiple accounts: **If the MGN connector manages source servers from multiple accounts, set up the global view feature and set up your AWS Organization, as described in [Manage large-scale migrations with global view](global-view.md). After you set up your AWS Organization: 1. Create the MGNConnectorInstallerRole and the AWSApplicationMigrationConnectorManagementRole as described in [Create roles manually](create-permissions-manually.md). 1. Configure the CloudFormation StackSet to create the AWSApplicationMigrationConnectorSharingRole\$1*management-account-id* role per management account. Use the template "Enable Application Migration Service Connector access". Instructions are in [Deploy role using a CloudFormation template ](CloudFormation_Template.md). # Create roles manually To create permissions manually, you create the MGNConnectorInstallerRole to install the MGN Connector and the AWSApplicationMigrationConnectorManagementRole needed to enable the connector to run. The connector assumes the AWSApplicationMigrationConnectorSharingRole\$1*management-account-id* role as needed, for example, to install the replication agent on a source server. ## Create the MGNConnectorInstallerRole MGNConnectorInstallerRole The **MGNConnectorInstallerRole** role is used to install the Connector. The user or identity that installs the Connector will require permission to assume this role. To create the role: 1. Create a policy from the following JSON: ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Action": [ "mgn:TagResource" ], "Resource": "arn:aws:mgn:*:*:connector/*", "Effect": "Allow", "Condition": { "StringEquals": { "mgn:CreateAction": "CreateConnector" } } }, { "Action": [ "mgn:CreateConnector" ], "Resource": "*", "Effect": "Allow" } ] } ``` ------ 1. Name the policy **MGNConnectorInstallerPolicy**. 1. Create a role with your account as the trusted entity. Alternatively use a custom trust policy that will grant the user or identity that will install the Connector, permission to assume this role. 1. Attach the **MGNConnectorInstallerPolicy** policy to the Permission policies. 1. Name the role **MGNConnectorInstallerRole**. ## AWSApplicationMigrationConnectorManagementRole The **AWSApplicationMigrationConnectorManagementRole** role is the role that is initially assumed by the Connector. To create the role: 1. After replacing **ACCOUNT-ID** with your account number, and **AWS\$1REGION** with the connector region, create a policy from the following JSON: ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Action": "sts:AssumeRole", "Resource": "arn:aws:iam::*:role/AWSApplicationMigrationConnectorSharingRole_ACCOUNT-ID", "Effect": "Allow" }, { "Condition": { "Null": { "aws:ResourceTag/AWSApplicationMigrationServiceManaged": "false" } }, "Action": "secretsmanager:GetSecretValue", "Resource": "arn:aws:secretsmanager:*:*:secret:*", "Effect": "Allow" }, { "Action": "s3:GetObject", "Resource": ["arn:aws:s3:::aws-application-migration-service-AWS_REGION/latest/source-automation-client/linux/ssaf-client/ssaf_client", "arn:aws:s3:::amazon-ssm-AWS_REGION/*"], "Effect": "Allow" } ] } ``` ------ 1. If you created an S3 bucket for SSM logging, replace **LOGS-BUCKET** with the bucket name and append the following to the policy: ``` { "Action": "s3:PutObject", "Resource": "arn:aws:s3:::LOGS-BUCKET/*", "Effect": "Allow" } ``` 1. In order for the MGN connector to send logs to CloudWatch, append this statement to the policy: ``` { "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:DescribeLogGroups", "logs:DescribeLogStreams", "logs:PutLogEvents" ], "Resource": "*" } ``` 1. Name the policy **MgnConnectorPolicy** 1. Create a role with the following trust relationship: ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" }, "Action": "sts:AssumeRole" } ] } ``` ------ 1. Attach the following policies: 1. **AmazonSSMManagedInstanceCore** 1. **MgnConnectorPolicy** 1. Name the role **AWSApplicationMigrationConnectorManagementRole** # Deploy the AWSApplicationMigrationConnectorSharingRole\$1*management-account-id* role using a CloudFormation template Deploy role using CloudFormation template See the [Create roles manually](create-permissions-manually.md) to deploy these permissions manually. 1. To configure the required IAM roles and policies, after replacing the described parameters, save the following AWS CloudFormation JSON template to a text file called `aws-mgn-connector-iam-principals.json` on your local system: 1. Replace the example account number **111122223333** with your account number. 1. Replace **ROLE-NAME** with the user role that serves as the trusted entity. This user role assumes the **MGNConnectorInstallerRole** role and can install the connector. 1. Replace the example region **us-east-2** with the Region of the account. 1. Replace **LOGS-BUCKET** with the S3 logs bucket name. Remove the relevant item from the statement if you have not set up outputting logs to S3. ``` { "AWSTemplateFormatVersion": "2010-09-09", "Description": "IAM Roles for AWS Application Migration Connector", "Resources": { "MGNConnectorInstallerRole": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:ROLE-NAME" }, "Action": "sts:AssumeRole" } ] }, "Policies": [ { "PolicyName": "MGNConnectorInstallerPolicy", "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "mgn:TagResource", "Resource": "arn:aws:mgn:*:*:connector/*", "Condition": { "StringEquals": { "mgn:CreateAction": "CreateConnector" } } }, { "Effect": "Allow", "Action": "mgn:CreateConnector", "Resource": "*" } ] } } ] } }, "AWSApplicationMigrationConnectorManagementRole": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }, "ManagedPolicyArns": [ "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore" ], "Policies": [ { "PolicyName": "MgnConnectorPolicy", "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:DescribeLogGroups", "logs:DescribeLogStreams", "logs:PutLogEvents" ], "Resource": "*" }, { "Action": [ "s3:GetObject" ], "Resource": [ "arn:aws:s3:::aws-application-migration-service-us-east-2/latest/source-automation-client/linux/ssaf-client/ssaf_client", "arn:aws:s3:::us-east-2/*" ], "Effect": "Allow" }, { "Action": [ "s3:PutObject" ], "Resource": "arn:aws:s3:::LOGS-BUCKET/*", "Effect": "Allow" }, { "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "arn:aws:iam::*:role/AWSApplicationMigrationConnectorSharingRole_111122223333" }, { "Effect": "Allow", "Action": "secretsmanager:GetSecretValue", "Resource": "arn:aws:secretsmanager:*:*:secret:*", "Condition": { "Null": { "aws:ResourceTag/AWSApplicationMigrationServiceManaged": "false" } } } ] } } ] } } } } ``` 1. Create a stack: ------ #### [ Via AWS CloudFormation console ] 1. **Stacks → Create stack → With new resources (standard)** 1. Under **Specify template** select **Upload a template file** 1. Click **Choose file** and select the template file `aws-mgn-connector-iam-principals.json` in the dialog. 1. Click **Next**. 1. In the following screen, choose a name for your CloudFormation stack (for example: `aws-mgn-connector-iam-principals-stack`) and click **Next**. 1. Click **Next** again. 1. Acknowledge the required capabilities and click on **Submit**. 1. Wait for the stack to finish creation. ------ #### [ Via AWS CLI ] 1. Using the following command: **Example** ``` aws cloudformation deploy --stack-name aws-mgn-connector-iam-principals-stack --capabilities CAPABILITY_NAMED_IAM --region --template-file ``` 1. Replace `` with the AWS region you will be deploying in and `` with the CloudFormation template file path. 1. Wait for the stack to finish creation. ------