Create IAM Role
OtterTune uses an IAM role to establish a trusted relationship with your Amazon account. The role policy includes an External ID to designate who can assume the role. This is the preferred method for interacting with 3rd party accounts according to the AWS IAM User Guide. OtterTune randomly generates an External ID for each organization.
Important You only have to create the IAM role once for your organization. OtterTune will prompt you to create the IAM role upon logging in if you do not have one. If you have already completed this step, OtterTune will display your AWS fleet on the dashboard, where you could enable the full functionality of OtterTune for selected database instances. Note you may add additional AWS accounts as needed.
- 2.The page should look like the screenshot below if your organization has not created the IAM role yet. If you have already set up the IAM role, proceed to the Enabling Databases instructions.
Choose a method for setting up the necessary AWS role. Automatic Setup with CloudFormation is recommended.
- Automatic Setup with CloudFormation (recommended): Set up the AWS IAM role automatically using a CloudFormation template.
CloudFormation automatically provisions the IAM role with an OtterTune template and registers it with OtterTune. The template used by the CloudFormation stack is publicly available here.
- 1.Select "CloudFormation" and then Connect from the OtterTune console.
- 3.On the CloudFormation form:
- 1.Optionally customize the stack name and/or the role name.
- 2.Check the acknowledgment box at the bottom of the form.
- 3.Select Create stack.
- 4.Navigate back to the OtterTune page. You will see the loading prompt below, which indicates that OtterTune is waiting for your CloudFormation stack to finish creation. Once we receive information about your new IAM role, you'll be automatically redirected to the dashboard.
- 2.Select "Terraform" from the OtterTune console.
- 3.Copy the Terraform configuration snippet from the OtterTune console.
- 5.Paste the snippet copied from Step 3 into your local Terraform configuration containing AWS
providerinformation. If you do not already have one, you may see an error regarding
provider.aws.region.In this case, navigate to the AWS registry documentation for instructions on setting up AWS with Terraform.
terraform initfrom the directory of your Terraform configuration.
- 7.Optionally run
terraform planto preview the changes. Run
terraform applyto complete the IAM role creation.
- 8.After the resources are created, enter the IAM role name and your 12-digit AWS account ID in the fields shown below and press Connect
- 1.To begin the role creation steps, click on the AWS IAM Console panel in the OtterTune console, and navigate to the AWS IAM Console.
- 2.Select Another AWS account for the trusted entity type.
- 3.For the Account ID, enter
691523222388. This is OtterTune's AWS account ID.
- 5.Select Require external ID and enter the ExternalID pasted from here.
- 6.Select Next: Permissions.
- 7.Select Create policy. This will open a new window.
- 8.On the policy creation page, select the JSON tab and paste the policy in the copybox on the OtterTune console shown above into the box.
- 9.Select Next: Tags.
- 10.Select Next: Review.
- 11.For the Name, enter a descriptive policy name such as
- 12.Select Create Policy. You can now close this window and return to the role creation steps.
- 13.Select Next: Tags.
- 14.Select Next: Review.
- 15.For the Role name, enter a descriptive name such as
- 16.Select Create role.
- 17.After the role is created, enter the IAM role name and your 12-digit AWS account ID in the fields shown below and press Connect.
If your IAM role set-up is successful, OtterTune will redirect you to the dashboard page and start syncing with AWS. Within moments, you'll be able to see your AWS fleet information there, and start using OtterTune with your databases.