IAM Configuration

Make sure that both members of the consortium perform this setup in their respective AWS accounts.

Your Cloud9 environment will need some privileges in order to access your blockchain network. Set those up now by going to IAM in the Management Console and selecting Policies from the left-hand sidebar, then Create policy. Select the JSON tab, then paste the following JSON policy definitions into the text field, replacing all instances of 123456789012 with your AWS account ID.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "ListNetworkMembers",
      "Effect": "Allow",
      "Action": [
          "managedblockchain:GetNetwork",
          "managedblockchain:ListMembers"
      ],
      "Resource": [
          "arn:aws:managedblockchain:*:123456789012:networks/*"
      ]
    },
    {
      "Sid": "ManageNetworkResources",
      "Effect": "Allow",
      "Action": [
        "managedblockchain:CreateProposal",
        "managedblockchain:GetProposal",
        "managedblockchain:DeleteMember",
        "managedblockchain:VoteOnProposal",
        "managedblockchain:ListProposals",
        "managedblockchain:GetNetwork",
        "managedblockchain:ListMembers",
        "managedblockchain:ListProposalVotes",
        "managedblockchain:RejectInvitation",
        "managedblockchain:GetNode",
        "managedblockchain:GetMember",
        "managedblockchain:DeleteNode",
        "managedblockchain:CreateNode",
        "managedblockchain:CreateMember",
        "managedblockchain:ListNodes"
      ],
      "Resource": [
        "arn:aws:managedblockchain:*::networks/*",
        "arn:aws:managedblockchain:*::proposals/*",
        "arn:aws:managedblockchain:*:123456789012:members/*",
        "arn:aws:managedblockchain:*:123456789012:invitations/*",
        "arn:aws:managedblockchain:*:123456789012:nodes/*"
      ]
    },
    {
      "Sid": "WorkWithNetworksForAcct",
      "Effect": "Allow",
      "Action": [
        "managedblockchain:ListNetworks",
        "managedblockchain:ListInvitations",
        "managedblockchain:CreateNetwork"
      ],
      "Resource": "*"
    }
  ]
}

Select Review policy. Call the policy AmazonManagedBlockchainControl and select Create policy.

Then select Roles from the sidebar, and then Create role. Select AWS service as the type of trusted entity and choose EC2 as your use case, then select Next: permissions. Narrow down the options by searching in the filter and then check the box next to the policies you just created. Also attach AdministratorAccess. So many different IAM permissions are needed in subsequent modules, that it is easier to configure this machine with administrator access during setup. After the workshop is finished, the AdministratorAccess policy may be removed, leaving only the AmazonManagedBlockchainControl policy attached to the Fabric client. This ensures that you follow the Principle of Least Privilege during your day-to-day use.

Filter the policy list

Select Next: Tags and then Next: Review. Call the role ServiceLinkedRoleForAmazonManagedBlockchain and select Create role.