Documentation

AWS Identity and Access Management (IAM)

Create New IAM Role

In order to manage MATLAB Distributing Computing Server clusters in Amazon Web Services (AWS), MathWorks Cloud Center needs access to your AWS resources. You can use an IAM role to establish a trusted relationship between your AWS account and the account belonging to MathWorks Cloud Center. After this relationship is established, the Cloud Center application can obtain temporary security credentials that can then be used to access AWS resources in your account.

Note

AWS GovCloud accounts are not supported in Cloud Center.

To create a role, in Cloud Center, click User Preferences, and follow the on-screen instructions to guide you through the steps.

  1. Click the link in Step 1 to open the Identity and Access Management (IAM) console in a new browser window. Log in to Amazon Web Services (AWS) if prompted. It is easier to complete the steps if you can position both the Cloud Center and AWS console windows to be visible at the same time.

  2. Follow the Cloud Center on-screen instructions.

  3. In the last step, return to the Cloud Center User Preferences window and paste your Role ARN in the Role ARN box.

    Click Save and check that you see your updated AWS account credentials.

Create Custom IAM Access Policy

If you are an intermediate or advanced user of Amazon Web Services, and you are not comfortable granting the AdministratorAccess policy, you can create a custom IAM Policy for finer grained access control.

  1. When you log into Cloud Center, go to the User Preferences page to set up access to your Amazon Web Service (AWS) account. See image under step 11 in the previous section.

  2. On the User Preferences page, you see the MathWorks AWS Account ID and External ID. You will need to copy these IDs in step 11 below.

  3. Log in to the Amazon Web Service (AWS) management console.

  4. Under Security & Identity, click Identity & Access Management to navigate to the IAM dashboard.

  5. In the IAM console, go to the Policies node and select Create Policy. If this is the first time you have worked with IAM policies, select Get Started, and then Create Policy.

  6. In Review Policy, enter a Policy Name and Description (optional). Copy the text below in the Policy Document box:

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": [
            "cloudformation:*",
            "sns:*",
            "ec2:*",
            "s3:*",
            "sqs:*",
            "iam:*",
            "autoscaling:*"
          ],
          "Resource": "*"
        }
      ]
    } 

    Click Create Policy.

  7. Switch to the Roles page in the left hand navigation pane and click Create New Role.

  8. Enter a Role Name and click Next Step.

  9. On the Select Role Type page, select Role for Cross-Account Access > Allows IAM users from a 3rd party AWS Account to access this account. Click Select > Next Step.

  10. On the Establish Trust page, paste the MathWorks AWS Account ID and the External ID copied from the User Preferences > Add Amazon Web Services Credentials page in Cloud Center. Ensure Require MFA is not selected. Click Next Step.

  11. On the Attach Policy screen, search for the Policy you created in step 7. Select this policy and click Next Step.

  12. On the Review screen, you see a summary of the IAM Role you have just created. Copy your Role ARN. You will need this Role ARN in step 15 below. Click Create Role to save your work.

  13. On the page listing IAM Roles in your account, you now see the role you created for MathWorks Cloud Center.

  14. Return to the Cloud Center User Preferences window and paste your Role ARN (copied in step 13) in the Role ARN box. Click Save and check that your AWS account credentials have been updated.

Edit IAM Role

You can update your AWS Credentials and modify your IAM Role settings as follows:

  1. Navigate to the Edit AWS Credentials page in Cloud Center.

  2. Open a new browser window and log into your AWS Console.

  3. Click on Identity & Access Management to enter the IAM Console.

  4. Click on Roles in the left hand navigation pane.

  5. Click the Role Name you want to edit.

  6. On the Trust Relationships tab, you can modify the trusted entities and conditions of the trust relationship. Click the Show policy document link to see the current policy document. Click Edit Trust Relationship to edit the policy document. Insert the correct values for the AWS account ID and ExternalId shown in italics in the policy document template below:

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Sid": "",
          "Effect": "Allow",
          "Principal": {
            "AWS": "arn:aws:iam::MathWorks's_AWS_Account_ID:root"
          },
          "Action": "sts:AssumeRole",
          "Condition": {
            "StringEquals": {
              "sts:ExternalId": "External_ID"
            }
          }
        }
      ]
    }
    

    Below, you see an example of a policy with both substitutions in place. The AWS account ID shown below is the AWS Account Mathworks uses for Cloud Center. The ExternalId value must match the External ID you see on the User Preferences page for AWS credentials in Cloud Center.

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Sid": "",
          "Effect": "Allow",
          "Principal": {
            "AWS": "arn:aws:iam::123456789012:root"
          },
          "Action": "sts:AssumeRole",
          "Condition": {
            "StringEquals": {
              "sts:ExternalId": "5b7a6de3-9be1-4554-a740-c861f80ff1f"
            }
          }
        }
      ]
    }
    

    Click Update Trust Policy.

  7. Click the Permissions tab to set the permissions allowed by users who assume the role. You can attach a custom policy or use the built-in AdministratorAccess managed policy.

  8. Confirm that the settings in your Amazon account match the configuration you have supplied to Cloud Center. Save your changes on the Cloud Center Update AWS Credentials page. See the “Update Amazon Web Services Credentials” figure below.

  9. You are directed to User Preferences and you see a confirmation message.

If you are updating your AWS credentials in Cloud Center to integrate with a different AWS account, note the following points:

  • Stop all clusters and wait for them to be completely stopped before updating or deleting your AWS settings in Cloud Center. Otherwise, Cloud Center may not be able to shut down your resources appropriately.

  • When switching AWS accounts, you must update the SSH key name for any existing cluster before attempting to restart the cluster via Cloud Center in the new AWS account.

  • When switching AWS accounts, any existing data on your persistent storage will not be copied to clusters in the new AWS account.

  • When switching AWS accounts, Amazon S3 data from the previous AWS account will not be downloaded to clusters started in the new AWS account.

Related Topics