Skip to main content

Deploy the Stax-Provisioning Role to Allow Stax Onboarding

Before you can perform some Stax onboarding operations, the Stax-Provisioning IAM role must be deployed into AWS accounts. You should deploy this role only when required as part of Stax's onboarding operations or when requested by Customer Support.

This role is required to permit Stax access to an AWS Organization's management account, and subsequently to accounts within the AWS Organization to support their onboarding to Stax.

Before You Begin

  • Ensure you have access to create IAM roles within the AWS account in question
  • The Stax-Provisioning IAM role is deployed by way of a CloudFormation template published by Stax. The template differs depending on the Installation Region your Stax tenancy resides in. Confirm the correct region before deploying the role

Deploy the Stax-Provisioning Role

  1. Log in to the AWS account in question using a role or credential which has adequate permissions to deploy a CloudFormation stack

  2. Choose from the links below to open the CloudFormation Quick Create Stack page. It will be populated with the appropriate details for your Stax Installation

    Stax Installation RegionDeploy CloudFormation StackControl Plane Account Number
    stax-au1Click here517242832086
    stax-eu1Click here142467058350
    stax-us1Click here329530014437

  3. Ensure that the Stack name, RoleName and Control Plane Account Number (StaxMasterAccountId) parameters are populated. You should not need to change them from their default values. Acknowledge the IAM resource creation, then choose Create stac k

The CloudFormation template will be deployed into the AWS account. This process may take a few minutes to complete. Once completed, its status may be reviewed in the AWS CloudFormation Console.

deploy-the-stax-provisioning-role-0.png

The Stax-Provisioning Role

The CloudFormation template used to deploy the Stax-Provisioning role can be reviewed here. It accepts two parameters, and creates two IAM Roles.

Parameters

  • RoleName determines the name of the IAM Role to be created. This should always be set to stax-Provisioning
  • StaxMasterAccountId refers to AWS account used by the Stax Control Plane to assert access to accounts in any given installation region. Only enter values here as specified by Stax

Resources

  • StaxProvisioningRole is the IAM role asserted by the Stax Control Plane to take actions in accounts being onboarded for Stax management. It grants full access for Stax to the iam, cloudformation, and organizations namespaces, as well as permitting the sts:AssumeRole action