NEW - You can now accelerate your migration and modernization with AWS Transform. Read Getting Started in the AWS Transform User Guide.
Deploy roles using a AWS CloudFormation template
See the Create roles manually to deploy these permissions manually.
- 
                    To configure the required IAM roles and policies, after replacing the described parameters, save the following AWS CloudFormation JSON template to a text file called aws-mgn-connector-iam-principals.jsonon your local system:- 
                                Replace the example account number 111122223333 with your account number. 
- 
                                Replace ROLE-NAME with the user role that serves as the trusted entity. This user role assumes the MGNConnectorInstallerRole role and can install the connector. 
- 
                                Replace the example region us-east-2 with the Region of the account. 
- 
                                Replace LOGS-BUCKET with the S3 logs bucket name. Remove the relevant item from the statement if you have not set up outputting logs to S3. 
 { "AWSTemplateFormatVersion": "2010-09-09", "Description": "IAM Roles for AWS Application Migration Connector", "Resources": { "MGNConnectorInstallerRole": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:ROLE-NAME" }, "Action": "sts:AssumeRole" } ] }, "Policies": [ { "PolicyName": "MGNConnectorInstallerPolicy", "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "mgn:TagResource", "Resource": "arn:aws:mgn:*:*:connector/*", "Condition": { "StringEquals": { "mgn:CreateAction": "CreateConnector" } } }, { "Effect": "Allow", "Action": "mgn:CreateConnector", "Resource": "*" } ] } } ] } }, "AWSApplicationMigrationConnectorManagementRole": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }, "ManagedPolicyArns": [ "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore" ], "Policies": [ { "PolicyName": "MgnConnectorPolicy", "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:DescribeLogGroups", "logs:DescribeLogStreams", "logs:PutLogEvents" ], "Resource": "*" }, { "Action": [ "s3:GetObject" ], "Resource": [ "arn:aws:s3:::aws-application-migration-service-us-east-2/latest/source-automation-client/linux/ssaf-client/ssaf_client", "arn:aws:s3:::us-east-2/*" ], "Effect": "Allow" }, { "Action": [ "s3:PutObject" ], "Resource": "arn:aws:s3:::LOGS-BUCKET/*", "Effect": "Allow" }, { "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "arn:aws:iam::*:role/AWSApplicationMigrationConnectorSharingRole_111122223333" }, { "Effect": "Allow", "Action": "secretsmanager:GetSecretValue", "Resource": "arn:aws:secretsmanager:*:*:secret:*", "Condition": { "Null": { "aws:ResourceTag/AWSApplicationMigrationServiceManaged": "false" } } } ] } } ] } } } }
- 
                                
- 
                Create a stack: