Adding Amazon AWS to Workspot

  • Updated on Aug 6, 2025
  • Published on May 21, 2025
  • 4 minute(s) read
  • Robert Plamondon
 Prev Next

This article covers adding an Amazon WorkSpaces Core Cloud subscription to your Workspot deployment by integrating Workspot Control with your existing WorkSpaces Core subscription using IAM AssumeRole using the  AWS CLI. (These steps can be performed on the AWS console, but this method is not shown.)

Step 1. Create IAM Trust JSON File

Create an IAM policy JSON file and save it as default-workspot-trust-policy.json. Replace <AWS-Account> with your AWS Account number. This will be eventually replaced in later steps with the Control User ARN generated by Workspot Control. 

{
    "Version": "2012-10-17",
    "Statement": {
        "Effect": "Allow",
        "Principal": {
            "AWS": "<AWS-Account>"
        },
        "Action": "sts:AssumeRole"
    }
}

Step 2. Create IAM Role

Create an IAM role as shown below. Save the Role ARN that is returned. You will need it in Step 6.

aws iam create-role --role-name workspot-admin-role --max-session-duration 43200 --assume-role-policy-document file://default-workspot-trust-policy.json

Step 3. Create IAM Core Permissions JSON File

Create an IAM policy JSON file and save it as workspot-core-permissions.json. 

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "workspaces-instances:*",
                "ec2:CreateVolume",
                "ec2:DescribeVolumes",
                "ec2:DeleteVolume",
                "ec2:AttachVolume",
                "ec2:DetachVolume",
                "ec2:DescribeInstances",
                "ec2:CreateImage",
                "ec2:DescribeImages",
                "ec2:DeregisterImage",
                "ec2:DescribeSnapshots",
                "ec2:DeleteSnapshot",
                "ec2:DescribeRegions",
                "ec2:DescribePlacementGroups",
                "ec2:DescribeNetworkInterfaces",
                "ec2:DescribeInstanceStatus",
                "ec2:DescribeTags",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeVpcs",
                "ec2:DescribeSubnets",
                "ec2:DescribeAddresses",
                "ec2:DescribeVolumes",
                "ec2:DescribeInstanceTypes",
                "ec2:CreatePlacementGroup",
                "ec2:CreateTags",
                "ec2:GetSecurityGroupsForVpc",
                "ec2:DeleteTags",
                "ec2:DeletePlacementGroup",
                "ec2:StartInstances",
                "ec2:RebootInstances",
                "ec2:RunInstances",
                "ec2:TerminateInstances",
                "ec2:ModifyInstanceAttribute",
                "ec2:StopInstances",
                "ec2:AllocateAddress",
                "ec2:AssociateAddress",
                "ec2:DisassociateAddress",
                "ec2:ReleaseAddress",
                "ssm:GetParameters",
                "ssm:GetParameter",
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:GenerateDataKey*"
            ],
            "Resource": "*"
        }
    ]
}

Step 4. Create IAM Permissions Policy

Create IAM policy using IAM policy JSON file. Take note of the Policy ARN for next step.

aws iam create-policy --policy-name workspot-core-permissions --policy-document file://workspot-core-permissions.json

Step 5. Attach Core Permissions to Role

Attach workspot-core-permissions policy to the IAM role. Replace <Policy-ARN> with ARN from the previous step.

aws iam attach-role-policy --role-name workspot-admin-role --policy-arn <Policy-ARN>

Step 6. Create Service-Linked Role

Create another role, this one service-linked.

aws iam create-service-linked-role --aws-service-name workspaces-instances.amazonaws.com

Step 7. Add Amazon WorkSpaces Core to Control

Form to add a public cloud provider with required fields and options.

Using the information that gathered from above, login to Control and go to “Setup > Cloud” to continue the WorkSpaces Core integration process.

Click on “Add Public Cloud” and fill in the fields in the form:

  • Name. Choose a name that will uniquely identify this WorkSpaces Core environment.

  • Configuration Type.  Select “Amazon WorkSpaces Core.”

  • Workspot Control ARN. Click “Get ARN” and copy the newly generated ARN for use in Step 7.

  • Account Number. Enter your AWS account number

  • Assumed Role ARN. Enter the Role ARN you saved from Step 2.

  • Region. Select the AWS region where WorkSpaces Core is configured.

  • For this AWS Account, use the following Workspot License: Choose a licensing option:

    • Use AWS-Workspot license (licensing is handled and billed by AWS).

    • Use standard Workspot licenses (Workspot licensing handled and billed by Workspot; AWS usage handled and billed by AWS).

  • Do NOT click Save (yet).

Step 7. Create Workspot Trust Policy JSON File

Create another IAM policy JSON file from the example below and save it as workspot-trust-policy.json. Replace <Control-User-ARN> with the ARN generated by Workspot Control.  

{
    "Version": "2012-10-17",
    "Statement": {
        "Effect": "Allow",
        "Principal": {
            "AWS": "<Control-User-ARN>"
        },
        "Action": "sts:AssumeRole"
    }
}

Step 8. Update IAM Role with the Workspot Trust Policy

Update Role with the new trust policy JSON.

aws iam update-assume-role-policy --role-name workspot-admin-role --policy-document file://workspot-trust-policy.json

Step 9. Complete Workspot Configuration

Back in Workspot Control, Click “Save” to complete WorkSpaces Core integration.

Configuration is now complete. You can proceed to manage templates, gateways, desktop pools, and application server pools.