Integrating Workspot Control and Amazon Workspaces Core

This article covers adding an Amazon Workspaces Core Cloud subscription to your Workspot deployment. It is part of the Getting Started with Workspot article series.

In this document you will find the necessary steps to integrate Workspot Control and Workspaces Core using IAM AssumeRole. Below steps uses AWS CLI. Steps can be completed on AWS console also.

1. Create an IAM policy JSON file and save it as default-workspot-trust-policy.json. Replace <AWS-Account> with your AWS Account number. This will be eventually replaced in later steps with the Control User ARN generated by Workspot Control.

{
    "Version": "2012-10-17",
    "Statement": {
        "Effect": "Allow",
        "Principal": {
            "AWS": "<AWS-Account>"
        },
        "Action": "sts:AssumeRole"
    }
}

2. Create an IAM role, take note the Role ARN created for later use.

aws iam create-role --role-name workspot-admin-role --max-session-duration 43200 --assume-role-policy-document file://default-workspot-trust-policy.json

3. Create an IAM policy JSON file and save it as workspot-core-permissions.json.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
			"workspaces:DescribeWorkspaceImages",
			"workspaces:DescribeTags",
			"workspaces:DescribeWorkspaceBundles",
			"workspaces:DescribeWorkspaceDirectories",
			"workspaces:DescribeWorkspaces",
			"workspaces:CreateTags",
			"workspaces:CreateWorkspaceImage",
			"workspaces:CreateWorkspaces",
			"workspaces:CreateWorkspaceBundle",
			"workspaces:DeleteWorkspaceBundle",
			"workspaces:DeleteWorkspaceImage",
			"workspaces:DeleteTags",
			"workspaces:StartWorkspaces",
			"workspaces:RebootWorkspaces",
			"workspaces:StopWorkspaces",
			"workspaces:TerminateWorkspaces",
			"workspaces:ModifyWorkspaceProperties",
			"ds:GetDirectoryLimits",
			"ds:DescribeDirectories",
			"ec2:DescribeInstances",
			"ec2:DescribeRegions",
			"ec2:DescribePlacementGroups",
			"ec2:DescribeNetworkInterfaces",
			"ec2:DescribeInstanceStatus",
			"ec2:DescribeTags",
			"ec2:DescribeSecurityGroups",
			"ec2:DescribeVpcs",
			"ec2:DescribeSubnets",
			"ec2:DescribeAddresses",
			"ec2:DescribeVolumes",
			"ec2:DescribeInstanceTypes",
			"ec2:CreatePlacementGroup",
			"ec2:CreateTags",
			"ec2:GetSecurityGroupsForVpc",
			"ec2:DeleteTags",
			"ec2:DeletePlacementGroup",
			"ec2:StartInstances",
			"ec2:RebootInstances",
			"ec2:RunInstances",
			"ec2:TerminateInstances",
			"ec2:StopInstances",
			"ec2:AllocateAddress",
			"ec2:AssociateAddress",
			"ec2:DisassociateAddress",
			"ec2:ReleaseAddress",
            "ssm:GetParameters",
            "ssm:GetParameter"
            ],
            "Resource": "*"
        }
    ]
}

4. Create IAM policy using IAM policy JSON file. Take note of the Policy ARN for next step.

aws iam create-policy --policy-name workspot-core-permissions --policy-document file://workspot-core-permissions.json

5. Attach workspot-core-permissions policy to the IAM role. Replace <Policy-ARN> with ARN from the previous step.

aws iam attach-role-policy --role-name workspot-admin-role --policy-arn <Policy-ARN>

6. Using the information that gathered from above, login to Control and go to Setup > Cloud to continue the Workspaces Core integration process.

Click on ‘Add Public Cloud’ and fill in the form using the information gathered.

Provide a ‘Name’ that will identify this Workspaces Core environment from other Cloud Config created later, select ‘Amazon WorkSpaces Core’.

Enter the AWS Account number and Role ARN (step 2).

Select a region where Workspaces Core is configured.

Click “Get ARN” and take note of the Control User ARN. Do not click Save.

7. Create another IAM policy JSON file and save it as workspot-trust-policy.json. Replace <Control-User-ARN> with the ARN generated by Workspot Control.  

{
    "Version": "2012-10-17",
    "Statement": {
        "Effect": "Allow",
        "Principal": {
            "AWS": "<Control-User-ARN>"
        },
        "Action": "sts:AssumeRole"
    }
}

8. Update Role with new trust policy JSON.

aws iam update-assume-role-policy --role-name workspot-admin-role --policy-document file://workspot-trust-policy.json

9. Back on Workspot Control > Click Save to complete Workspaces Core integration.

Related Documents