Create IAM Role
OtterTune uses an IAM role to establish a trusted relationship with your Amazon account. The role policy includes an External ID to designate who can assume the role. This is the preferred method for interacting with 3rd party accounts according to the AWS IAM User Guide. OtterTune randomly generates an External ID for each organization.
Important You only have to create the IAM role once for your organization. OtterTune will prompt you to create the IAM role the first time a user adds a database to your organization. If you have already completed this step, then proceed to Add Database.

OtterTune Console

    1.
    Navigate to https://service.ottertune.com/signin and sign in with your credentials.
    2.
    Select + New Database.
    3.
    The page should look like the screenshot below if your organization has not created the IAM role yet. If you have already set up the IAM role, proceed to the Add Database instructions. Take note of the External ID that will be used to create the role in the next step.

IAM Role Setup

Choose a method for setting up the necessary AWS role. Automatic Setup with CloudFormation is recommended.

Automatic Setup with CloudFormation

    1.
    Select Quick Create IAM Role from the OtterTune console.
    2.
    Log in to the AWS console.
    3.
    On the CloudFormation form:
      1.
      Copy/paste the External ID from the OtterTune console into the form.
      2.
      Optionally input the AWS DB Parameter Group ARNs for the databases you wish to tune into the form. This information is needed for tuning only (not monitoring) but can be updated later on.
      3.
      Check the acknowledgment box at the bottom of the form.
      4.
      Select Create stack.

Manual Setup from the AWS Console

    1.
    To begin the role creation steps, navigate to the AWS IAM Console.
    2.
    Select Another AWS account for the trusted entity type.
    3.
    For the Account ID, enter 691523222388. This is OtterTune's AWS account ID.
    4.
    Select Require external ID and enter the external ID generated by OtterTune.
    5.
    Select Next: Permissions.
    6.
    Select Create policy. This will open a new window.
    7.
    Select the JSON tab and copy the policy below into the text box.
    8.
    Select Next: Tags.
    9.
    Select Next: Review.
    10.
    For the Name, enter a descriptive policy name such as OtterTuneDBPolicy.
    11.
    Select Create Policy. You can now close this window and return to the role creation steps.
    12.
    Select the refresh button. Then enter the policy name you chose in step 10 into the search box and select the policy when it appears in the list of results.
    13.
    Select Next: Tags.
    14.
    Select Next: Review.
    15.
    For the Role name, enter a descriptive name such as OtterTuneRole.
    16.
    Select Create role.

OtterTune IAM Role Policy (JSON)

1
{
2
"Version": "2012-10-17",
3
"Statement": [
4
{
5
"Action": [
6
"rds:Describe*",
7
"rds:List*",
8
"cloudwatch:Get*",
9
"cloudwatch:List*",
10
"ce:Get*",
11
"ce:List*",
12
"ce:Describe*",
13
"aws-portal:ViewBilling",
14
"iam:SimulatePrincipalPolicy"
15
],
16
"Resource": [
17
"*"
18
],
19
"Effect": "Allow"
20
},
21
{
22
"Action": [
23
"rds-db:connect"
24
],
25
"Resource": [
26
"arn:aws:rds-db:*:*:dbuser:*/ottertune*"
27
],
28
"Effect": "Allow"
29
}
30
]
31
}
Copied!

Enter the IAM Role ARN

After creating the IAM role, switch back to the OtterTune console and submit the ARN of the created role to complete the connection. The role ARN has the following form:
arn:aws:iam::<your-account>:role/<ottertune-role-name> You can construct the ARN by replacing <your-account> and <ottertune-role-name> (OtterTuneRole by default) with their respective values. Alternatively, you can copy the ARN from the AWS IAM console by selecting the role. Then select Submit.
This will send you to the next page to add your database. We discuss these steps next.
Last modified 14d ago