VHM and Amazon Web Services

You can use a virtual host manager (VHM) to gather instances from Amazon Web Services (AWS).

The VHM allows SUSE Manager to obtain and report information about your clusters. For more information on VHMs, see Virtual Host Managers.

1. Create an Amazon EC2 VHM

The Virtual Host Manager (VHM) runs on the SUSE Manager Server.

Ensure you have installed the virtual-host-gatherer-libcloud package on the SUSE Manager Server.

Procedure: Creating an Amazon EC2 VHM
  1. In the SUSE Manager Web UI, navigate to Systems  Virtual Host Managers.

  2. Click Create and select Amazon EC2 from the drop-down menu.

  3. In the Add an Amazon EC2 Virtual Host Manager section, use these parameters:

    • In the Label field, type a custom name for your VHM.

    • In the Access Key ID field, type the access key ID provided by Amazon.

    • In the Secret Access Key field, type the secret access key associated with the Amazon instance.

    • In the Region field, type the region to use.

    • In the Zone field, type the zone your VM is located in. This is required for subscription matching to work. For more information about setting regions and zones, see client-configuration:virtualization.adoc#_susesupport_and_vm_zones.

  4. Click Create to save your changes and create the VHM.

  5. On the Virtual Host Managers page, select the new VHM.

  6. On the Properties page, click Refresh Data to inventory the new VHM.

To see which objects and resources have been inventoried, navigate to Systems  System List  Virtual Systems.

Instances running on the Amazon public cloud report a UUID to the SUSE Manager Server in the format of an i followed by seventeen hexadecimal digits:

I1234567890abcdef0

2. AWS Permissions for Virtual Host Manager

For security reasons, always grant the least privilege possible for a task to be performed. Using an Access Key with excessive permissions for users connecting to AWS is not advised.

For SUSE Manager to gather the information required from AWS, the VHM needs permission to describe EC2 instances and addresses. One method to grant this is to create a new IAM user (Identity and Access Management) specific to this task, create a policy as follows and attach to the user:

{
    "Version": "2012-10-17",
    "Statement":[
        {
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeAddresses",
                "ec2:DescribeInstances"
            ],
            "Resource": "*"
        }
    ]
}

You can limit permissions more by restricting access to specific regions. For more information, see https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ExamplePolicies_EC2.html#iam-example-read-only.