// Module included in the following assemblies: // // * networking/networking_operators/aws-load-balancer-operator/preparing-sts-cluster-for-albo.adoc :_mod-docs-content-type: PROCEDURE [id="using-aws-cli-create-iam-role-alb-controller_{context}"] = Creating an AWS IAM role for the controller by using the AWS CLI [role="_abstract"] To enable the {aws-short} Load Balancer Controller to interact with subnets and Virtual Private Clouds (VPCs), create an IAM role by using the {aws-short} CLI. This ensures the controller has the specific permissions required to manage network resources within the cluster. .Prerequisites * You must have access to the {aws-short} command-line interface (`aws`). .Procedure . Generate a trust policy file using your identity provider by running the following command: + [source,terminal] ---- $ cat < albo-controller-trust-policy.json { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Federated": "" }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringEquals": { ":sub": "system:serviceaccount:aws-load-balancer-operator:aws-load-balancer-operator-controller-manager" } } } ] } EOF ---- + where: + ``:: Specifies the Amazon Resource Name (ARN) of the OIDC identity provider, such as `arn:aws:iam::777777777777:oidc-provider/rh-oidc.s3.us-east-1.amazonaws.com/28292va7ad7mr9r4he1fb09b14t59t4f`. `serviceaccount`:: Specifies the service account for the {aws-short} Load Balancer Controller. An example of `` is `rh-oidc.s3.us-east-1.amazonaws.com/28292va7ad7mr9r4he1fb09b14t59t4f`. . Create an {aws-short} IAM role with the generated trust policy by running the following command: + [source,terminal] ---- $ aws iam create-role --role-name albo-controller --assume-role-policy-document file://albo-controller-trust-policy.json ---- + .Example output [source,terminal] ---- ROLE arn:aws:iam:::role/albo-controller 2023-08-02T12:13:22Z <1> ASSUMEROLEPOLICYDOCUMENT 2012-10-17 STATEMENT sts:AssumeRoleWithWebIdentity Allow STRINGEQUALS system:serviceaccount:aws-load-balancer-operator:aws-load-balancer-operator-controller-manager PRINCIPAL arn:aws:iam::oidc-provider/ ---- + where: + ``:: Specifies the ARN for an {aws-short} IAM role for the {aws-short} Load Balancer Controller, such as `arn:aws:iam::777777777777:role/albo-controller`. . Download the permission policy for the {aws-short} Load Balancer Controller by running the following command: + [source,terminal] ---- $ curl -o albo-controller-permission-policy.json https://raw.githubusercontent.com/openshift/aws-load-balancer-operator/main/assets/iam-policy.json ---- . Attach the permission policy for the {aws-short} Load Balancer Controller to an {aws-short} IAM role by running the following command: + [source,terminal] ---- $ aws iam put-role-policy --role-name albo-controller --policy-name perms-policy-albo-controller --policy-document file://albo-controller-permission-policy.json ---- . Create a YAML file that defines the `AWSLoadBalancerController` object: + .Example `sample-aws-lb-manual-creds.yaml` file [source,yaml] ---- apiVersion: networking.olm.openshift.io/v1 kind: AWSLoadBalancerController metadata: name: cluster spec: credentialsRequestConfig: stsIAMRoleARN: ---- + where: + `kind`:: Specifies the `AWSLoadBalancerController` object. `metatdata.name`:: Specifies the {aws-short} Load Balancer Controller name. All related resources use this instance name as a suffix. `stsIAMRoleARN`:: Specifies the ARN role for the {aws-short} Load Balancer Controller. The `CredentialsRequest` object uses this ARN role to provision the {aws-short} credentials. An example of `` is `arn:aws:iam::777777777777:role/albo-controller`.