Using IAM Roles

The Traffic Manager supports the use of EC2 Identity and Access Management (IAM) roles. IAM roles are required for deployments involving Traffic IP addresses, auto-scaling, or appliance network management.

To create an IAM role, use the AWS Console or equivalent management tool. When you launch a new Traffic Manager virtual machine instance, specify the IAM role you want the instance to assume.

During normal communication with EC2, the Traffic Manager executes a range of API calls to perform various functions. When you create an IAM role, you must attach an IAM policy to the role with the correct level of authority to execute the desired functions. EC2 provides various predefined IAM policies, together with the ability to create custom policies to meet specific needs. If you require one of the following functional areas in your deployment, make sure your chosen IAM policy has permission to execute the associated API calls.

For general Traffic Manager functioning:

DescribeRegions

DescribeInstances

DescribeAddresses

DescribeNetworkInterfaces

For Fault Tolerance:

AssociateAddress

DisassociateAddress

AllocateAddress

ReleaseAddress

AssignPrivateIPAddresses

UnAssignPrivateIpAddresses

For Autoscaling:

RunInstances

CreateTags

TerminateInstances

For more information on IAM roles and policies, see the AWS documentation at: http://aws.amazon.com/documentation/.