Linking your Amazon Web Services account to Docker Cloud has a few more steps. To link the account, we need to provide Docker Cloud with the role Amazon Resource Names (ARNs), which has the necessary privileges to access the resources required within our Amazon Web Services account to be able to launch instances.
To do this, we must first create a policy. To do so, log in to your Amazon Web Services account at https://console.aws.amazon.com/ or your organization's custom sign-in page if you use one. Once logged in, go to the Services menu, which can be found in the top-left of the page, and find the IAM service.
Once you are on the Welcome to Identity and Access Management page, click on Polices, which can be found in the left-hand menu. This page lists all of the default policies supplied by Amazon, along with any custom ones you have created.
We are going to be creating our own policy. To do this, click on the Create Policy button; you will be taken to a page where you have three options: Copy an AWS Managed Policy, Policy Generator, and Create Your Own Policy. Click on Select next to Create Your Own Policy.
Enter the Policy Name as dockercloud-policy, leave the Description blank, and for the Policy Document, enter the following:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ec2:*",
"iam:ListInstanceProfiles"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
You can see this in the following screenshot:
Once you have entered the details, click on Create Policy. Now that we have our policy, we need to attach it to a role. To do this, click on Roles in the left-hand side menu and then click the Create new role button.
There are four steps to create a role, the first of which is to select the type of role we want to create; in our case, we want to select Role for cross-account access as we will be allowing Docker Cloud access to our Amazon Web Services account:
Now that in Role for cross-account access we have two options; as we going to be allowing third-party access, click on the Select button next to the Provide access between your AWS account and a 3rd party AWS account option.
This will take you to step two, where you will need to tell Amazon the Account ID of the third party you want to be able to use your role with, and also you will need to provide your Docker ID username. The account number you need for this is 689684103426; enter it in the Account ID field, and in the External ID field, enter your Docker ID. Leave Require MFA unticked:
Once you have entered the details, click on Next Step to attach the policy we created earlier. To do this, enter docker cloud in the Filter and check the box next to the dockercloud-policy result:
Click on Next Step to move onto the final step. Here we need to give our role a name, so enter dockercloud-role in the Role name field. Review the rest of the information, such as the account number, which should read 689684103426, and then click on Create role.
This will create our Docker Cloud role and take you back to the list of roles. The final piece of information we need before we return to Docker Cloud is the ARN name for the role we just created. To get this, click on the role name in the list of roles and make a note of the Role ARN:
Now that we have the role ARN, return to Docker Cloud and click on the power cord plug next to Amazon Web Services; this will open a prompt that asks you for the role ARN. Enter it and click on Save:
You should now have two different cloud providers linked to your Docker Cloud account, and your Cloud Settings page should look something like the following:
