To migrate workloads to AWS with PlateSpin Migrate, you require an AWS Identity and Access Management (IAM) user in your AWS account with an appropriate IAM role and the required permissions to perform migrations in to the AWS VPC. You also need the AWS Access Key and AWS Secret Access Key for this user.
You can create a new IAM policy by using one of the following:
PlateSpin AWS Role Tool: See Section 8.9.1, Using the AWS Role Tool to Create a New IAM Policy.
AWS Management Console: See Section 8.9.2, Using the AWS Management Console to Create an IAM Policy.
PlateSpin Migrate provides an AWS Role Tool (AWSRoleTool.exe) to enable an administrative user to create a new IAM policy based on a default policy (PolicyJSON.txt) that PlateSpin Migrate defines and assign an IAM user (either existing user or new user) to the policy. The PlateSpin Migrate AWS Role Tool (AWSRoleTool.exe) is included in the Migrate-Install-folder\PlateSpin Migrate Server\bin\AWSRolesTool directory.
By default, the PolicyJSON.txt file that PlateSpin Migrate defines contain the minimum permissions required for an IAM user to migrate workloads to AWS with PlateSpin Migrate. For information about the minimum permissions defined for an IAM user in the default policy, see Section 8.9.3, Defining Minimum Permissions for an IAM User.
When you use the AWS Role Tool to create a new policy, the new policy is created as a replica of this default policy and has all the permissions that are listed in the default policy. However, you can choose to create a new policy with modified permissions than what is listed in the default policy. To create a new policy with modified permissions, you must edit the PolicyJSON.txt file to list only those permissions that you want to list in the new policy and then create the policy.
NOTE:If you have edited the PolicyJSON.txt file and want to restore the default policy that PlateSpin Migrate defines, delete the edited PolicyJSON.txt file. The PolicyJSON.txt file is recreated with the default permissions in the Migrate-Install-folder\PlateSpin Migrate Server\bin\AWSRolesTool directory when the AWS role tool runs.
Log in as an Administrator on your PlateSpin Migrate Server host.
Open a command prompt and navigate to the location that has the AWS role tool, and run the following command:
AWSRoleTool.exe
NOTE:If the default policy (PolicyJSON.txt) is not available in the Migrate-Install-folder\PlateSpin Migrate Server\bin\AWSRolesTool directory, the tool recreates the PolicyJSON.txt file with the default permissions that PlateSpin Migrate recommends.
Enter the AWS Access Key and AWS Secret Access Key of an AWS user who has permissions to create IAM policy and users.
Enter a name for the AWS policy you want to create.
Enter the name of a new or an existing user to whom you want to assign this policy. The tool creates the new policy as a replica of the PolicyJSON.txt file, assigns the policy to the specified user, and provides the Access Key and Secret Key credentials for the user.
You can choose to save the credentials to a file or display the credentials in the command prompt:
To save the credentials to a file, enter y. The path of the file that contains the credentials is displayed.
To display the credentials in the command prompt, enter n and take a note of the displayed credentials.
(Optional) To restore the default policy that PlateSpin Migrate defines, delete the edited PolicyJSON.txt file and run the AWS Role Tool to recreate the PolicyJSON.txt file with the default permissions.
You can use the AWS Management Console to create or edit an IAM policy and define user permissions by assigning the user to a policy. See Creating IAM Policies.
PlateSpin Migrate provides a default policy (PolicyJSON.txt)that contain the minimum permissions required for an IAM user to migrate workloads to AWS with PlateSpin Migrate. For information about the minimum permissions defined for an IAM user in the default policy file, see Section 8.9.3, Defining Minimum Permissions for an IAM User.
You can use the AWS Management Console to create a new policy with the recommended permissions included in this default policy.
PlateSpin Migrate provides a PolicyJSON.txt file that by default contains the minimum permissions required for an IAM user to migrate workloads to AWS with PlateSpin Migrate. When you use the AWS Role Tool to create a new policy, the new policy is created as a replica of this default policy and has all the permissions that are listed in the default policy.
The contents of the PolicyJSON.txt file is as follows:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"ec2:TerminateInstances",
"ec2:DeleteTags",
"ec2:StartInstances",
"ec2:CreateTags",
"ec2:RunInstances",
"kms:DescribeKey",
"ec2:StopInstances"
],
"Resource": [
"arn:aws:ec2:*:*:subnet/*",
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ec2:*:*:volume/*",
"arn:aws:ec2:*:*:security-group/*",
"arn:aws:ec2:*:*:network-interface/*",
"arn:aws:ec2:*::image/*",
"arn:aws:kms:*:*:key/*"
]
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"ec2:DeregisterImage",
"ec2:DeleteSnapshot",
"ec2:DescribeInstances",
"ec2:DescribeRegions",
"ec2:CreateImage",
"iam:ListRoles",
"ec2:DescribeSnapshots",
"ec2:DescribePlacementGroups",
"pricing:GetProducts",
"ec2:DescribeSecurityGroups",
"ec2:DescribeHosts",
"ec2:DescribeImages",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeVpcs",
"kms:ListAliases",
"ec2:DescribeVolumes",
"ec2:DescribeAccountAttributes",
"ec2:DescribeReservedInstances",
"ec2:ModifyInstanceAttribute",
"ec2:DescribeSubnets",
"ec2:DescribeKeyPairs",
"ec2:DescribeInstanceStatus"
],
"Resource": "*"
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": [
"kms:Decrypt",
"kms:Encrypt",
"ec2:CreateVolume"
],
"Resource": [
"arn:aws:ec2:*:*:volume/*",
"arn:aws:kms:*:*:key/*"
]
},
{
"Sid": "VisualEditor3",
"Effect": "Allow",
"Action": [
"ec2:AttachVolume",
"kms:CreateGrant"
],
"Resource": [
"arn:aws:kms:*:*:key/*",
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ec2:*:*:volume/*"
]
},
{
"Sid": "VisualEditor4",
"Effect": "Allow",
"Action": "ec2:DetachVolume",
"Resource": [
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ec2:*:*:volume/*"
]
},
{
"Sid": "VisualEditor5",
"Effect": "Allow",
"Action": "ec2:DeleteVolume",
"Resource": "arn:aws:ec2:*:*:volume/*"
},
{
"Sid": "VisualEditor6",
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:*:*:subnet/*",
"arn:aws:ec2:*:*:key-pair/*",
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ec2:*::snapshot/*",
"arn:aws:ec2:*:*:launch-template/*",
"arn:aws:ec2:*:*:volume/*",
"arn:aws:ec2:*:*:security-group/*",
"arn:aws:ec2:*:*:placement-group/*",
"arn:aws:ec2:*:*:network-interface/*",
"arn:aws:ec2:*::image/*"
]
}
]
}