Guidance for assigning role in SPC

Overview

To configure a trust relationship between the SCOP system and the target CSP account, assigning a role is necessary. This guide outlines the steps to enable secure integration for operations such as security audits, account updates, and console/resource access.

Definition and purpose

To perform operations such as:

  • Extracting account information
  • Detecting events
  • Managing resources

…you need to:

  • Create a linked role in the target CSP account for SCOP.
  • Allocate a Service Principal (IAM User, Service App, Service Account, etc.).
  • Form a trust relationship to allow API access from the SCOP system.

Conceptual overview

Conceptual diagram
Figure: Conceptual diagram

The following steps summarize the role assignment process:

  1. Create policy
  2. Create role
  3. Assign trust relationship

Target: SPC Account Admins

Process overview
Figure: Process overview

Detailed guide

Step 1: Log in to SPC console

SPC Console login
Figure: SPC Console login

Step 2: Access IAM service

  1. Click the Menu button.
  2. Select SPC Identity & Access Management.

Access IAM
Figure: Access IAM

Step 3: Navigate to policies

  1. Click Policies.
  2. Click + Create Policy.

Move to create policy
Figure: Move to create policy

Step 4: Create a new policy

  1. Name the policy: SamsungCloudOpsPlatform_Linked_Policy.
  2. Paste the policy script from SCOP_SPC_Policy_Script.json.
  3. Click Create Policy.

Create policy
Figure: Create policy

For complete example, please refer to the policy below

{
  "Version": "2012-10-17",
  "Statement": {
    "Sid": "SCOP20230918SID-TEMP1",
    "Effect": "Allow",
    "Action": [
      "iam:AddClientIDToOpenIDConnectProvider",
      "iam:AttachRolePolicy",
      "iam:CreateOpenIDConnectProvider",
      "iam:CreatePolicy",
      "iam:CreatePolicyVersion",
      "iam:CreateRole",
      "iam:DeleteOpenIDConnectProvider",
      "iam:DeletePolicy",
      "iam:DeletePolicyVersion",
      "iam:DeleteRole",
      "iam:DetachRolePolicy",
      "iam:Get*",
      "iam:List*",
      "iam:RemoveClientIDFromOpenIDConnectProvider",
      "iam:SetDefaultPolicyVersion",
      "iam:UpdateAssumeRolePolicy",
      "iam:UpdateOpenIDConnectProviderThumbprint",
      "sts:AssumeRole"
    ],
    "Resource": "*"
  }
}

Step 5: Go to roles section

  1. Verify the newly created policy.
  2. Click Roles.

IAM roles service
Figure: IAM roles service

Step 6: Create a new role

  1. Click + Create Role.

Click on create a role
Figure: Crete a role

Step 7: Add SCOP as trusted entity

  1. Select Another SPC account.
  2. Enter SCOP Account ID: 651725221358.
  3. Click Next.

Add another SPC account
Figure: Add another SPC account

Step 8: Attach policy to role

  1. Search for SamsungCloudOpsPlatform_Linked_Policy.
  2. Select the policy.
  3. Click Next.

Attach policy to role
Figure: Attach policy to role

Step 9: Set tags (optional)

  1. Click Next to proceed.

Set tags
Figure: Set tags

Step 10: Finalize role creation

  1. Name the role: SamsungCloudOpsPlatform_Linked_Role.
  2. Click Create Role.

Finalize role creation
Figure: Create a role

Step 11: Verify role creation

  1. Confirm the role has been successfully created.

Verify role
Figure: Verify role

Edit this page on GitHub