Deploy permissions using a AWS CloudFormation template

Alternatively, see the previous section to deploy these permissions manually.

To configure the required IAM roles and policies, after replacing the described parameters, save the following AWS CloudFormation JSON template to a text file called aws-mgn-connector-iam-principals.json on your local system:

Replace ACCOUNT-ID with your account number.
Replace ROLE-NAME with the user role that serves as the trusted entity to assume MGNConnectorInstallerRole role and install the connector.
Replace AWS_REGION with the connector region.
Replace LOGS-BUCKET with S3 logs bucket name. Remove the relevant item from the statement if you have not set up outputting logs to S3.

JSON


{
    "Resources": {
        "MGNConnectorInstallerRole": {
            "Type": "AWS::IAM::Role",
            "Properties": {
                "AssumeRolePolicyDocument": {
                    "Version": "2012-10-17",
                    "Statement": [
                        {
                            "Effect": "Allow",
                            "Principal": {
                                "AWS": "arn:aws:iam::ACCOUNT-ID:ROLE-NAME"
                            },
                            "Action": "sts:AssumeRole"
                        }
                    ]
                },
                "Policies": [
                    {
                        "PolicyName": "MGNConnectorInstallerPolicy",
                        "PolicyDocument": {
                            "Version": "2012-10-17",
                            "Statement": [
                                {
                                    "Effect": "Allow",
                                    "Action": "mgn:TagResource",
                                    "Resource": "arn:aws:mgn:*:*:connector/*",
                                    "Condition": {
                                        "StringEquals": {
                                            "mgn:CreateAction": "CreateConnector"
                                        }
                                    }
                                },
                                {
                                    "Effect": "Allow",
                                    "Action": "mgn:CreateConnector",
                                    "Resource": "*"
                                }
                            ]
                        }
                    }
                ]
            }
        },
        "AWSApplicationMigrationConnectorManagementRole": {
            "Type": "AWS::IAM::Role",
            "Properties": {
                "AssumeRolePolicyDocument": {
                    "Version": "2012-10-17",
                    "Statement": [
                        {
                            "Effect": "Allow",
                            "Principal": {
                                "Service": "ssm.amazonaws.com"
                            },
                            "Action": "sts:AssumeRole"
                        }
                    ]
                },
                "ManagedPolicyArns": [
                    "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
                ],
                "Policies": [
                    {
                        "PolicyName": "MgnConnectorPolicy",
                        "PolicyDocument": {
                            "Version": "2012-10-17",
                            "Statement": [
                                {
                                    "Effect": "Allow",
                                    "Action": [
                                        "logs:CreateLogGroup",
                                        "logs:CreateLogStream",
                                        "logs:DescribeLogGroups",
                                        "logs:DescribeLogStreams",
                                        "logs:PutLogEvents"
                                    ],
                                    "Resource": "*"
                                },
                                {
                                    "Action": [
                                        "s3:GetObject"
                                    ],
                                    "Resource": [
                                        "arn:aws:s3:::aws-application-migration-service-AWS_REGION/latest/source-automation-client/linux/ssaf-client/ssaf_client",
                                        "arn:aws:s3:::AWS_REGION/*"
                                    ],
                                    "Effect": "Allow"
                                },
                                {
                                    "Action": [
                                        "s3:PutObject"
                                    ],
                                    "Resource": "arn:aws:s3:::LOGS-BUCKET/*",
                                    "Effect": "Allow"
                                },
                                {
                                    "Effect": "Allow",
                                    "Action": "sts:AssumeRole",
                                    "Resource": "arn:aws:iam::*:role/AWSApplicationMigrationConnectorSharingRole_ACCOUNT-ID"
                                },
                                {
                                    "Effect": "Allow",
                                    "Action": "secretsmanager:GetSecretValue",
                                    "Resource": "arn:aws:secretsmanager:*:*:secret:*",
                                    "Condition": {
                                        "Null": {
                                            "aws:ResourceTag/AWSApplicationMigrationServiceManaged": "false"
                                        }
                                    }
                                }
                            ]
                        }
                    }
                ]
            }
        }
    }
}

Create a stack:
Via AWS CloudFormation console
Stacks → Create stack → With new resources (standard)
Under Specify template select Upload a template file
Click Choose file and select the template file aws-mgn-connector-iam-principals.json in the dialog.
Click Next.
In the following screen, choose a name for your CloudFormation stack (for example: aws-mgn-connector-iam-principals-stack) and click Next.
Click Next again.
Acknowledge the required capabilities and click on Submit.
Wait for the stack to finish creation.
Via AWS CLI
Using the following command:

aws cloudformation deploy --stack-name aws-mgn-connector-iam-principals-stack --capabilities CAPABILITY_NAMED_IAM --region <AWS_REGION> --template-file <PATH_TO_TEMPLATE_FILE>

Replace <AWS_REGION> with the AWS region you will be deploying in and <PATH_TO_TEMPLATE_FILE> with the CloudFormation template file path.
Wait for the stack to finish creation.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Create permissions manually

Setup instructions