Integrating Workspot Control and Amazon Workspaces Core

  • Updated on Oct 27, 2025
  • Published on Jul 15, 2024
  • 3 minute(s) read
  • Robert Plamondon
  • Jesse Wilson
  • d
 Prev Next

This article covers adding an Amazon Workspaces Core Cloud subscription to your Workspot deployment. It is part of the Getting Started with Workspot article series.

In this document you will find the necessary steps to integrate Workspot Control and Workspaces Core using IAM AssumeRole. Below steps uses AWS CLI. Steps can be completed on AWS console also.

Create IAM Policies

  1. Create an IAM policy JSON file and save it as default-workspot-trust-policy.json.

    1. Replace “<AWS-Account>” below with your AWS Account number. This will be eventually replaced in later steps with the Control User ARN generated by Workspot Control. 

{
    "Version": "2012-10-17",
    "Statement": {
        "Effect": "Allow",
        "Principal": {
            "AWS": "<AWS-Account>"
        },
        "Action": "sts:AssumeRole"
    }
}

  1. Create an IAM role. This will return a new Role ARN. Save it for later use.

aws iam create-role --role-name workspot-admin-role --max-session-duration 43200 --assume-role-policy-document file://default-workspot-trust-policy.json

  1. Create an IAM policy JSON file. Save it as workspot-core-permissions.json. 

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
			"workspaces:DescribeWorkspaceImages",
			"workspaces:DescribeTags",
			"workspaces:DescribeWorkspaceBundles",
			"workspaces:DescribeWorkspaceDirectories",
			"workspaces:DescribeWorkspaces",
			"workspaces:CreateTags",
			"workspaces:CreateWorkspaceImage",
			"workspaces:CreateWorkspaces",
			"workspaces:CreateWorkspaceBundle",
			"workspaces:DeleteWorkspaceBundle",
			"workspaces:DeleteWorkspaceImage",
			"workspaces:DeleteTags",
			"workspaces:StartWorkspaces",
			"workspaces:RebootWorkspaces",
			"workspaces:StopWorkspaces",
			"workspaces:TerminateWorkspaces",
			"workspaces:ModifyWorkspaceProperties",
			"ds:GetDirectoryLimits",
			"ds:DescribeDirectories",
            "ec2:CreateImage",
            "ec2:DescribeImages",
            "ec2:DeregisterImage",
            "ec2:DescribeSnapshots",
            "ec2:DeleteSnapshot",
            "ec2:CreateVolume",
            "ec2:DescribeVolumes", 
            "ec2:DeleteVolume", 
            "ec2:AttachVolume", 
            "ec2:DetachVolume" 
			"ec2:DescribeInstances",
			"ec2:DescribeRegions",
			"ec2:DescribePlacementGroups",
			"ec2:DescribeNetworkInterfaces",
			"ec2:DescribeInstanceStatus",
			"ec2:DescribeTags",
			"ec2:DescribeSecurityGroups",
			"ec2:DescribeVpcs",
			"ec2:DescribeSubnets",
			"ec2:DescribeAddresses",
			"ec2:DescribeVolumes",
			"ec2:DescribeInstanceTypes",
			"ec2:CreatePlacementGroup",
			"ec2:CreateTags",
			"ec2:GetSecurityGroupsForVpc",
			"ec2:DeleteTags",
			"ec2:DeletePlacementGroup",
			"ec2:StartInstances",
			"ec2:RebootInstances",
			"ec2:RunInstances",
			"ec2:TerminateInstances",
			"ec2:StopInstances",
			"ec2:AllocateAddress",
			"ec2:AssociateAddress",
			"ec2:DisassociateAddress",
			"ec2:ReleaseAddress",
            "ssm:GetParameters",
            "ssm:GetParameter"
            ],
            "Resource": "*"
        }
        { 
            "Effect": "Allow", 
            "Action": [ 
                "kms:Encrypt", 
                "kms:Decrypt", 
                "kms:GenerateDataKey*" 
            ], 
            "Resource": "*" 
         } 
    ]
}

  1. Create an IAM policy using the IAM policy JSON file. Take note of the Policy ARN, which we will use in the next step.

aws iam create-policy --policy-name workspot-core-permissions --policy-document file://workspot-core-permissions.json

  1. Attach workspot-core-permissions policy to the IAM role. Replace “<Policy-ARN>” with the ARN from the previous step.

aws iam attach-role-policy --role-name workspot-admin-role --policy-arn <Policy-ARN>

  1. Login to Workspot Control.

    1. Go to “Setup > Cloud.”

    2. Click on ‘Add Public Cloud’ and fill in the form using the information gathered.

    3. Provide a ‘Name’ that will identify this Workspaces Core environment from other Cloud Config created later, select ‘Amazon WorkSpaces Core’.

    4. Enter the AWS Account number and Role ARN (from step 2).

    5. Select a region where Workspaces Core is configured.

    6. Click “Get ARN” and take note of the Control User ARN. Do NOT click “Save.”

Note: The Account Number must not contain embedded whitespace or hyphens.

  1. Create another IAM policy JSON file from the text below.

    1. Save it as workspot-trust-policy.json.

    2. Copy the “Control User ARN” from Control’s “Add Public Cloud” page.

    3. Paste the ARN into the JSON file, replacing “<Control-User-ARN>.”

{
    "Version": "2012-10-17",
    "Statement": {
        "Effect": "Allow",
        "Principal": {
            "AWS": "<Control-User-ARN>"
        },
        "Action": "sts:AssumeRole"
    }
}

  1. Update Role with the new trust policy JSON

aws iam update-assume-role-policy --role-name workspot-admin-role --policy-document file://workspot-trust-policy.json

  1. Finish. Back on the “Add Public Cloud” page of Workspot Control, click “Save” to complete Workspaces Core integration.

Related Documents