Search
⌃K

Create IAM Role

OtterTune uses an IAM role to establish a trusted relationship with your Amazon account. The role policy includes an External ID to designate who can assume the role. This is the preferred method for interacting with 3rd party accounts according to the AWS IAM User Guide. OtterTune randomly generates an External ID for each organization.
Important You only have to create the IAM role once for your organization. OtterTune will prompt you to create the IAM role upon logging in if you do not have one. If you have already completed this step, OtterTune will display your AWS fleet on the dashboard, where you could enable the full functionality of OtterTune for selected database instances. Note you may add additional AWS accounts as needed.

OtterTune Console

  1. 1.
    Navigate to https://service.ottertune.com/signin and sign in with your credentials.
  2. 2.
    The page should look like the screenshot below if your organization has not created the IAM role yet. If you have already set up the IAM role, proceed to the Enabling Databases instructions.

IAM Role Setup

Choose a method for setting up the necessary AWS role. Automatic Setup with CloudFormation is recommended.

Automatic Setup with CloudFormation

CloudFormation automatically provisions the IAM role with an OtterTune template and registers it with OtterTune. The template used by the CloudFormation stack is publicly available here.
  1. 1.
    Select "CloudFormation" and then Connect from the OtterTune console.
  2. 2.
    In the pop-up window, Log in to the AWS console.
  3. 3.
    On the CloudFormation form:
    1. 1.
      Optionally customize the stack name and/or the role name.
    2. 2.
      Check the acknowledgment box at the bottom of the form.
    3. 3.
      Select Create stack.
  4. 4.
    Navigate back to the OtterTune page. You will see the loading prompt below, which indicates that OtterTune is waiting for your CloudFormation stack to finish creation. Once we receive information about your new IAM role, you'll be automatically redirected to the dashboard.

Automatic Setup with Terraform

  1. 1.
    Install Terraform.
  2. 2.
    Select "Terraform" from the OtterTune console.
  3. 3.
    Copy the Terraform configuration snippet from the OtterTune console.
  4. 4.
    Navigate to the relevant OtterTune Terraform registry for additional documentation.
  5. 5.
    Paste the snippet copied from Step 3 into your local Terraform configuration containing AWS provider information. If you do not already have one, you may see an error regarding provider.aws.region.In this case, navigate to the AWS registry documentation for instructions on setting up AWS with Terraform.
  6. 6.
    Run terraform init from the directory of your Terraform configuration.
  7. 7.
    Optionally run terraform plan to preview the changes. Run terraform apply to complete the IAM role creation.
  8. 8.
    After the resources are created, enter the IAM role name and your 12-digit AWS account ID in the fields shown below and press Connect

Manual Set-up from the AWS Console

  1. 1.
    To begin the role creation steps, click on the AWS IAM Console panel in the OtterTune console, and navigate to the AWS IAM Console.
  2. 2.
    Select Another AWS account for the trusted entity type.
  3. 3.
    For the Account ID, enter 691523222388. This is OtterTune's AWS account ID.
  4. 4.
  5. 5.
    Select Require external ID and enter the ExternalID pasted from here.
  6. 6.
    Select Next: Permissions.
  7. 7.
    Select Create policy. This will open a new window.
  8. 8.
    On the policy creation page, select the JSON tab and paste the policy in the copybox on the OtterTune console shown above into the box.
  9. 9.
    Select Next: Tags.
  10. 10.
    Select Next: Review.
  11. 11.
    For the Name, enter a descriptive policy name such as OtterTuneDBPolicy.
  12. 12.
    Select Create Policy. You can now close this window and return to the role creation steps.
  13. 13.
    Select Next: Tags.
  14. 14.
    Select Next: Review.
  15. 15.
    For the Role name, enter a descriptive name such as OtterTuneRole.
  16. 16.
    Select Create role.
  17. 17.
    After the role is created, enter the IAM role name and your 12-digit AWS account ID in the fields shown below and press Connect.

OtterTune IAM Role Policy (JSON)

{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"rds:Describe*",
"rds:List*",
"pricing:Describe*",
"pricing:Get*",
"pi:DescribeDimensionKeys",
"pi:GetResourceMetrics",
"cloudwatch:Get*",
"cloudwatch:List*",
"cloudwatch:Describe*",
"ce:Get*",
"ce:List*",
"ce:Describe*",
"budgets:Describe*",
"aws-portal:ViewBilling",
"iam:SimulatePrincipalPolicy"
],
"Resource": [
"*"
],
"Effect": "Allow"
},
{
"Action": [
"rds-db:connect"
],
"Resource": [
"arn:aws:rds-db:*:*:dbuser:*/ottertune*"
],
"Effect": "Allow"
}
]
}

Next Step

If your IAM role set-up is successful, OtterTune will redirect you to the dashboard page and start syncing with AWS. Within moments, you'll be able to see your AWS fleet information there, and start using OtterTune with your databases.
Previous
Connect Your Database
Next
Enabling Database Instances
Last modified 1mo ago