Configure AWS Multi-cloud vManage Account with IAM

Available Languages

Download Options

  • PDF     (650.0 KB)
    View with Adobe Reader on a variety of devices
  • ePub     (680.5 KB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (550.0 KB)
    View on Kindle device or Kindle app on multiple devices
Updated:July 29, 2022
Document ID:217868

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes how to resolve trust issues that occur when you try to use the IAM account for multi-cloud automation.

    Background

    When you use the Cisco multi-cloud feature with AWS TGW and your company AWS account, there are trust issues. That is because the unique company Account ID is different from the vManage EC2 instance in AWS.

    Problem

    When you use the IAM account for multi-cloud automation, it causes a trust issue.

    Solution

    To resolve this problem:

    1. Navigate to AWS > Identity and Access Management (IAM) and create a new ROLE or another listed ROLE.
    2. On the AWS portal, enter IAM in the search bar. The IAM opens.
    3. From the side panel, navigate to Roles and then select Create New.

    IAM window_5.4.2022

    4. Select the Another AWS Account as an option.

    5. The Account ID is the AWS Account and has the vManage EC2 instance built. For Cisco Hosted accounts, the account ID is "2002388880647". (This is NOT your own AWS Account ID.) See Reference at the end of this article.

    6. Check the box for "External ID" and enter a value under vManage > Cloud onRamp for multi-cloud > Account Management > Add AWS Account.

    Provide Cloud Acct Details_5.4.2022

    CreateRole_5.4.2022

    7. Set permissions. 

    Attach permissions_5.4.2022

    1. Skip the tags.
    2. Review the last page and name the role. Post the creation of ROLE and copy the ARN from the AWS portal.

    Review_5.4.2022

    Summary_5.4.2022

    1. Ensure that the syntax under the "Trust Relationship > Edit Relationship"matches this JSON example (with the values you set):
    {
  "Version": "2022-05-04",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::account_number:root"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "vm:site_address"
        }
      }
    }
  ]
}
    1. Copy the ARN from AWS and fill in the details on the vManage multi-cloud page.

    Account Credentials Update_5.4.2022

    The "/var/log/nms/containers/cloudagent-v2/cloudagent-v2.log" file has valuable messages (with the values you set):

    [2021-08-06T02:47:07UTC+0000:140360670770944:INFO:ca-v2:grpc_service.py:432] Returning ValidateAccountInfo Response: {
  "mcCtxt": {
    "tenantId": "VTAC5 - 19335",
    "ctxId": "ebd23ec1-95fa-4e27-8f6a-e3b10c086f95"
  },
  "accountInfo": {
    "cloudType": "AWS",
    "accountName": "aws_accountname",
    "orgName": "VTAC5 - 19335",
    "description": "",
    "billingId": "",
    "awsAccountInfo": {
      "accountSpecificInfo": {
        "authType": "IAM",
        "iamBasedAuth": {
          "arn": "HUIZ82ywKt+EfSdKS8kaMpWCFE7W3vLjqaJCPgmSP1D61Rsd1yrIldmQsf9bW7OFNhUKH5LQg+2Gkdey0IyTUg==",

    Reference 

    Cisco_Cloud_onRamp_for_IaaS_AWS_Version2.html

    Revision History

    Revision Publish Date Comments
    1.0
    11-May-2022
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    • Akshay Manchanda
      Customer Experience

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products