Deploy the Stax-Provisioning Role to Allow Stax Onboarding
Before you can perform some Stax onboarding operations, the Stax-Provisioning IAM role must be deployed into AWS accounts. You should deploy this role only when required as part of Stax's onboarding operations or when requested by Customer Support.
This role is required to permit Stax access to an AWS Organization's management account, and subsequently to accounts within the AWS Organization to support their onboarding to Stax.
Before You Begin
- Ensure you have access to create IAM roles within the AWS account in question
- The Stax-Provisioning IAM role is deployed by way of a CloudFormation template published by Stax. The template differs depending on the Installation Region your Stax tenancy resides in. Confirm the correct region before deploying the role
Deploy the Stax-Provisioning Role
-
Log in to the AWS account in question using a role or credential which has adequate permissions to deploy a CloudFormation stack
-
Choose from the links below to open the CloudFormation Quick Create Stack page. It will be populated with the appropriate details for your Stax Installation
Stax Installation Region Deploy CloudFormation Stack Control Plane Account Number stax-au1 Click here 517242832086 stax-eu1 Click here 142467058350 stax-us1 Click here 329530014437 -
Ensure that the Stack name, RoleName and Control Plane Account Number (StaxMasterAccountId) parameters are populated. You should not need to change them from their default values. Acknowledge the IAM resource creation, then choose Create stac k
The CloudFormation template will be deployed into the AWS account. This process may take a few minutes to complete. Once completed, its status may be reviewed in the AWS CloudFormation Console.
The Stax-Provisioning Role
The CloudFormation template used to deploy the Stax-Provisioning role can be reviewed here. It accepts two parameters, and creates two IAM Roles.
Parameters
- RoleName determines the name of the IAM Role to be created. This should always be set to
stax-Provisioning
- StaxMasterAccountId refers to AWS account used by the Stax Control Plane to assert access to accounts in any given installation region. Only enter values here as specified by Stax
Resources
- StaxProvisioningRole is the IAM role asserted by the Stax Control Plane to take actions in accounts being onboarded for Stax management. It grants full access for Stax to the iam, cloudformation, and organizations namespaces, as well as permitting the sts:AssumeRole action