docker
/
docs
mirror of https://github.com/docker/docs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

updated AWS linking steps order per their new UI (#3255) 

Signed-off-by: Victoria Bialas <victoria.bialas@docker.com>
This commit is contained in:
Victoria Bialas 2017-05-13 21:57:04 -07:00 committed by GitHub
parent a45b42d19f
commit f578684e09
1 changed files with 18 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
docker-cloud/infrastructure/link-aws.md
View File

@ -15,18 +15,20 @@ You can create a role with AWS IAM (Identity and Access Management) so that
Docker Cloud can provision and manage **node clusters** and **nodes** on your Docker Cloud can provision and manage **node clusters** and **nodes** on your
behalf. behalf.
[Previously](https://docs.docker.com/v1.11/docker-cloud/infrastructure/link-aws),we recommended that you create a service user that Docker Cloud would use [Previously](https://docs.docker.com/v1.11/docker-cloud/infrastructure/link-aws), we
to access your AWS account. If you used this method, you can [create a new recommended that you create a service user that Docker Cloud would use to access
role](link-aws.md#create-a-dockercloud-role-role), attach the policy you created your AWS account. If you used this method, you can [create a new
for this purpose (see <a href="https://console.aws.amazon.com/iam/home#policies" role](https://console.aws.amazon.com/iam/home#policies){: target="_blank"
target ="_blank">AWS polices</a>), unlink your AWS credentials and relink them class="_" }, attach the policy you created for this purpose (see
using the new ARN method. You can then delete the `dockercloud-user` on AWS. [https://console.aws.amazon.com/iam/home#policies](https://console.aws.amazon.com/iam/home#policies){:
target="_blank" class="_" }), unlink your AWS credentials, and relink them using
the new ARN method. You can then delete the `dockercloud-user` on AWS.
## Create a dockercloud-policy ## Create a dockercloud-policy
Create an access control policy that will grant specific privileges to Docker Cloud so it can provision EC2 resources on your behalf.  Create an access control policy that will grant specific privileges to Docker Cloud so it can provision EC2 resources on your behalf. 
1. Go to the AWS IAM panel at <a href="https://console.aws.amazon.com/iam/home#policies" target ="_blank">https://console.aws.amazon.com/iam/home#policies</a>. 1. Go to the AWS IAM panel at [https://console.aws.amazon.com/iam/home#policies](https://console.aws.amazon.com/iam/home#policies){: target="_blank" class="_"} .
2. Click **Create Policy**. 2. Click **Create Policy**.
3. On the next screen click **Create Your Own Policy**. 3. On the next screen click **Create Your Own Policy**.
4. Name the policy `dockercloud-policy` and paste the following text in the space provided for **Policy Document**. 4. Name the policy `dockercloud-policy` and paste the following text in the space provided for **Policy Document**.
@ -53,7 +55,7 @@ Create an access control policy that will grant specific privileges to Docker Cl
`iam:ListInstanceProfiles` allows the user to retrieve instance profiles to apply to your nodes. `iam:ListInstanceProfiles` allows the user to retrieve instance profiles to apply to your nodes.
> **Note**: You cannot use an instance profile that has more permissions than the IAM user you are using with Docker Cloud. If you do that, you will get an "unauthorized operation" error. You can fix this issue by adding the `"Action":"iam:PassRole"` permission to the policy for the service user. You can read more about this <a href="http://blogs.aws.amazon.com/security/post/Tx3M0IFB5XBOCQX/Granting-Permission-to-Launch-EC2-Instances-with-IAM-Roles-PassRole-Permission" target="_blank">here</a>. > **Note**: You cannot use an instance profile that has more permissions than the IAM user you are using with Docker Cloud. If you do that, you will get an "unauthorized operation" error. You can fix this issue by adding the `"Action":"iam:PassRole"` permission to the policy for the service user. You can read more about this [here](http://blogs.aws.amazon.com/security/post/Tx3M0IFB5XBOCQX/Granting-Permission-to-Launch-EC2-Instances-with-IAM-Roles-PassRole-Permission){: target="_blank" class="_"}.
6. Click **Validate Policy**. 6. Click **Validate Policy**.
7. If the validation is successful click **Create Policy**. 7. If the validation is successful click **Create Policy**.
@ -91,21 +93,21 @@ You can use the following `dockercloud-policy` to limit Docker Cloud to a specif
## Create a dockercloud-role role ## Create a dockercloud-role role
1. Go to the AWS IAM Role creation panel at <a href="https://console.aws.amazon.com/iam/home#roles">https://console.aws.amazon.com/iam/home#roles</a>. 1. Go to the AWS IAM Role creation panel at <a href="https://console.aws.amazon.com/iam/home#roles">https://console.aws.amazon.com/iam/home#roles</a>.
2. Give the new role a name, such as `dockercloud-role`.
> **Note**: You must use one role per Docker Cloud account namespace, so if you will be using nodes from a single AWS account for multiple Docker Cloud accounts, you should add an identifying the namespace to the end of the name. For example, you might have `dockercloud-role-moby` and `dockercloud-role-teamawesome`. 2. Select **Role for Cross-Account Access**, and in the submenu that opens select **Allows IAM users from a 3rd party AWS account to access this account**.
3. Select **Role for Cross-Account Access**, and in the submenu that opens select **Allows IAM users from a 3rd party AWS account to access this account**.
![](images/aws-iam-role-1.png) ![](images/aws-iam-role-1.png)
4. In the **Account ID** field, enter the ID for the Docker Cloud service: `689684103426`. 3. In the **Account ID** field, enter the ID for the Docker Cloud service: `689684103426`.
5. In the **External ID** field, enter your Docker Cloud username. 4. In the **External ID** field, enter your Docker Cloud username.
If you're linking to nodes for an organization, enter the organization name. If you're linking to nodes for an organization, enter the organization name.
6. Leave **Require MFA** unchecked. 5. Leave **Require MFA** unchecked.
7. On the next screen, select the `dockercloud-policy` you created to attach to the role. 6. On the next screen, select the `dockercloud-policy` you created to attach to the role.
7. Give the new role a name, such as `dockercloud-role`.
> **Note**: You must use one role per Docker Cloud account namespace, so if you will be using nodes from a single AWS account for multiple Docker Cloud accounts, you should add an identifying the namespace to the end of the name. For example, you might have `dockercloud-role-moby` and `dockercloud-role-teamawesome`.
8. On next page review your entries and copy the full **Role ARN** string. 8. On next page review your entries and copy the full **Role ARN** string.
The ARN string should look something like `arn:aws:iam::123456789123:role/dockercloud-role`. You'll use the ARN in the next step. If you forget to copy the ARN here, view the Role in IAM to see its related information including the ARN. The ARN string should look something like `arn:aws:iam::123456789123:role/dockercloud-role`. You'll use the ARN in the next step. If you forget to copy the ARN here, view the Role in IAM to see its related information including the ARN.
@ -114,7 +116,6 @@ You can use the following `dockercloud-policy` to limit Docker Cloud to a specif
![](images/aws-iam-role-2.png) ![](images/aws-iam-role-2.png)
## Add AWS account credentials ## Add AWS account credentials
Once you've created a `dockercloud-policy`, attached it to a Once you've created a `dockercloud-policy`, attached it to a