Connection to Amazon WorkSpaces Core Managed Instances
Create and manage connections and resources describes the wizards that create a connection. The following information covers details specific to Amazon WorkSpaces Core Managed Instances.
Prerequisites
Do the following before creating a connection to Amazon WorkSpaces Core Managed Instances:
- Complete setting up your AWS as a resource location. See AWS virtualization environments.
- Define IAM permissions policy of IAM user or role for Citrix to manage AWS resources on your behalf.
- Create a service-linked role.
Define IAM permissions
Before creating a host connection, an IAM permissions policy needs to be properly defined for an IAM user or role that gives Citrix proper permissions to provision and manage resources in your AWS account on your behalf. Use the information in this section to define IAM permissions for Citrix DaaS on Amazon WorkSpaces Core Managed Instances. Amazon’s IAM service permits accounts having multiple users, which can be further organized into groups. These users can possess different permissions to control their ability to perform operations associated with the account. For more information about IAM permissions, see the IAM JSON policy reference.
Note:
Since Citrix provisions and manages resources and automation in your AWS account on your behalf, configuring IAM permissions policies based on specific tags or resource naming conventions is not supported.
To apply IAM permissions policy to a new group of users:
- Log in to the AWS management console and select the IAM service from the drop-down list.
- Select Create a New Group of Users.
- Type a name for the new user group and select Continue.
- On the Permissions page, choose Custom Policy.
- Type a name for the Permissions policy.
- In the Policy Document section, enter the relevant permissions.
After entering the policy information, select Continue to complete the application of the IAM permissions policy to the group of users. Users in the group are granted permissions to do only those actions that are required for Citrix DaaS.
Important:
Use the policy text provided in the example provided in this article to list the actions that a Citrix DaaS uses to perform actions within an AWS account without restricting those actions to specific resources. Citrix recommends that you use the example for testing purposes. For production environments, you might choose to add further restrictions on resources.
Add IAM permissions
Add the permissions in the IAM section of the AWS Management Console:
- In the Summary panel, select the Permissions tab.
- Select Add permissions.
- In the Add Permissions to screen, grant permissions.
- In the JSON section, include Required AWS permissions for your environment.
Create a service-linked role
For each of your AWS accounts from which Citrix will call Core V2 APIs, create a service-linked role (SLR).
The steps to create the role:
- Open a Command Line Interface (CLI) in the AWS management console.
-
Run the following command in the CLI:
aws iam create-service-linked-role --aws-service-name workspaces-instances.amazonaws.com <!--NeedCopy-->
You can also configure the service-linked role using the using the Amazon WorkSpaces Core management console. See Creating a service-linked role (console).
Create a connection
You can create a connection to Amazon WorkSpaces Core Managed Instances using:
Note:
Check your proxy server or firewall restrictions and ensure that the following addresses are contactable:
https://*.amazonaws.comandhttps://*.api.aws. Also, make sure that all the addresses mentioned in Citrix Gateway service connectivity are contactable.If these are not contactable, it might cause failure while creating or updating the host connection.
Create a connection using Studio
- Navigate to Hosting > Add Connection and Resources page.
-
On the Connection page, follow these steps to configure the connection:
- Select Create a new connection.
- In Zone, select the resource location you have set up for your AWS environment.
- Select Amazon WorkSpaces Core as the connection type.
-
Select Use IAM user access key or Use IAM role.
For the IAM user access key, provide your API key and Secret key for the IAM user that has proper IAM permissions policy for Citrix to manage resources in your AWS account.
For the IAM role, make sure that you’ve assigned an IAM role to the Citrix Cloud Connector instance with proper IAM permissions policy for Citrix to manage resources in your AWS account. See Role-based authentication guide for more information.
- Enter a connection name and click Next.
- On the Virtual Machine Location page, specify the location where the VMs must be provisioned. Select the cloud region, VPC, and availability zone for creating new VMs.
-
On the Network page:
- Enter a name for the resources that you selected previously in the availability Zone.
- Select one or more subnets in the VPC that you configured in the previous menu.
- Click through the remaining pages till the Summary page.
- Click Finish to create the host connection to Amazon WorkSpaces Core Managed Instances.
Important considerations
When you create a connection using Studio:
- Define proper IAM permissions for Citrix to manage your AWS resources.
- If you use an IAM user access key for Citrix to manage your AWS resources, you must provide the API key and secret key values. You can export the key file containing those values from AWS and then import them. You must also provide the region, availability zone, VPC name, subnet addresses, domain name, security group names, and credentials.
- If you use an IAM role for Citrix to manage your AWS resources, you must make sure to assign a role with proper IAM permissions to all of your Cloud Connector(s). Role-based authentication guide for more information.
- The credentials file for the root AWS account (retrieved from the AWS console) is not formatted the same as credentials files downloaded for standard AWS users. Therefore, Citrix DaaS cannot use the file to populate the API key and secret key fields. Ensure that you are using AWS Identity Access Management (IAM) credentials files.
Create a connection using PowerShell
- Open a PowerShell window.
- Run
asnp citrix*to load the Citrix-specific PowerShell modules. -
Run the following commands. Following is an example:
$connectionName = "demo-hostingconnection" $cloudRegion = "us-east-1" $apiKey = "aaaaaaaaaaaaaaaaaaaa" $apiSecret = “bbbbb” $secureKey = ConvertTo-SecureString -String $apiSecret $zoneUid = "00000000-0000-0000-0000-000000000000" $connectionPath = "XDHyp:\Connections\" + $connectionName $connection = New-Item -Path $connectionPath -ConnectionType "AmazonWorkSpacesCoreMachineManagerFactory" -HypervisorAddress " "https://workspaces-instances.$($cloudRegion).api.aws"" -Persist -Scope @() -UserName $apiKey -SecurePassword $secureKey -ZoneUid $zoneUid New-BrokerHypervisorConnection -HypHypervisorConnectionUid $connection.HypervisorConnectionUid $hostingUnitName = "demo-hostingunit" $availabilityzone = "us-east-1a" $vpcName = "Default VPC" $jobGroup = [Guid]::NewGuid() $hostingUnitPath = "XDHyp:\HostingUnits\" + $HostingUnitName $rootPath = $connectionPath + "\" + $vpcName + ".virtualprivatecloud\" $availabilityZonePath = @($rootPath + $availabilityzone + ".availabilityzone") $networkPaths = (Get-ChildItem $availabilityZonePath[0] | Where ObjectType -eq "Network") | Select-Object -ExpandProperty FullPath # will select all the networks in the availability zone New-Item -Path $hostingUnitPath -AvailabilityZonePath $availabilityZonePath -HypervisorConnectionName $connectionName -JobGroup $jobGroup -PersonalvDiskStoragePath @() -RootPath $rootPath -NetworkPath $networkPaths <!--NeedCopy-->
Note:
To create a connection using Role-Based Authentication, specify apiKey and apiSecret as
role_based_auth.
Limitation
If you change the name of an AWS Virtual Private Cloud (VPC) in the AWS console, then the existing hosting unit in Citrix Cloud breaks. When the hosting unit is broken, you cannot create catalogs or add machines to existing catalogs. To resolve the issue, change the name of the AWS VPC back to the original name.
Create a secure environment for AWS-managed traffic
If you have a proxy configured on the Cloud Connectors, then you must create the host connection to use the proxy so that API calls made by MCS are properly routed through the proxy. MCS enables network traffic (API calls from Citrix Cloud to AWS hypervisor) to be routed through Cloud Connectors in your environment.
The host connection can read the WinHTTP system proxy value that is configured during Cloud Connector installation. You can currently configure the proxy by setting the custom property UseSystemProxyForHypervisorTrafficOnConnectors to True when creating or updating a host connection using PowerShell.
Note:
If your environment uses a proxy, ensure that SSL inspection is disabled or SSL connection remains unaltered for https://workspaces-instances.*.api.aws/.
Create a host connection configured with the proxy
- Open a PowerShell window.
- Run
asnp citrix*to load the Citrix-specific PowerShell modules. -
Run the PowerShell commands to configure the proxy. For example:
$connectionName = "demo-hostingconnection" $cloudRegion = "us-east-1" $apiKey = "aaaaaaaaaaaaaaaaaaaa" $zoneUid = "00000000-0000-0000-0000-000000000000" $securePassword = Read-Host 'Please enter your secret key' -AsSecureString $connectionPath = "XDHyp:\Connections\" + $connectionName $customProperties = @" <CustomProperties xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://schemas.citrix.com/2014/xd/machinecreation"> <Property xsi:type="StringProperty" Name="UseSystemProxyForHypervisorTrafficOnConnectors" Value="True" /> </CustomProperties> "@ <!--NeedCopy--> -
Create a hosting connection. For example:
$connection = New-Item -Path $connectionPath ` -ConnectionType "Custom" -PluginId "AmazonWorkSpacesCoreMachineManagerFactory" ` -HypervisorAddress "https://workspaces-instances.$($cloudRegion).api.aws" ` -CustomProperties> $customProperties ` -Persist -Scope @()` -UserName $apiKey -SecurePassword $securePassword ` -ZoneUid $zoneUid New-BrokerHypervisorConnection -HypHypervisorConnectionUid $connection.HypervisorConnectionUid <!--NeedCopy-->
To enable the proxy for an existing host connection, see Enable the proxy on an existing connection.
Edit a connection
You can edit an existing host connection to:
- Modify the option to provide IAM permissions for Citrix to manage resources
- Modify the maximum number of simultaneous actions (or concurrent machines) per hosting connection
- Modify the scope.
- Configure the maximum number of security groups allowed per elastic network interface (ENI) using PowerShell command
- Enable the proxy to create a secure environment for AWS-managed traffic
Edit options to provide IAM permissions
- Right-click an existing Amazon WorkSpaces Core connection.
- On the Connection Properties page, click Edit settings.
- Select one of the options to provide IAM permissions for Citrix to manage resources. Enter the required details and click Save.
Modify the maximum number of simultaneous actions
When you create host connections in Studio for Amazon WorkSpaces Core Managed Instances, the following default values display:
| Option | Absolute | Percentage |
|---|---|---|
| Simultaneous actions (all types) | 125 | 100 |
| Maximum new actions per minute | 150 | n/a |
| Maximum concurrent provisioning operations | 150 | n/a |
MCS supports 150 maximum concurrent provisioning operations by default.
You can configure these values by accessing the Citrix Studio Advanced section on the Edit Connection screen:
Alternatively, you can use the Remote PowerShell SDK to set the maximum number of concurrent operations for optimal settings per your environment.
Use the PowerShell custom property, MaximumConcurrentProvisioningOperations, to specify the maximum number of concurrent AWS provisioning operations.
Before configuration:
- Ensure that you have installed the PowerShell SDK for Cloud.
- Understand that the default value for
MaximumConcurrentProvisioningOperationsis 150.
Perform the following steps to customize the MaximumConcurrentProvisioningOperations value:
- Open a PowerShell window.
- Run
asnp citrix*to load the Citrix-specific PowerShell modules. - Enter
cd xdhyp:\Connections\. - Enter
dirto list the connections. -
Change or Initialize the Custom Properties string:
-
If the Custom Properties string has a value, copy the Custom Properties into Notepad. Next, change the
MaximumConcurrentProvisioningOperationsproperty to your preferred value. You can enter a value ranging 1–1000. For example,<Property xsi:type="IntProperty" Name="MaximumConcurrentProvisioningOperations" Value="xyz"/>. -
If the Custom Properties string is empty or null, you must initialize the string by entering the proper syntax for both the schema and the
MaximumConcurrentProvisioningOperationsproperty.
-
-
In the PowerShell window, paste the modified Custom Properties from Notepad and assign a variable to the modified Custom Properties. If you initialized the Custom Properties, add the following lines after the syntax:
$customProperties = '<CustomProperties xmlns="http://schemas.citrix.com/2014/xd/machinecreation" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><Property xsi:type="IntProperty" Name="MaximumConcurrentProvisioningOperations" Value="100"/></CustomProperties>' <!--NeedCopy-->This string sets the
MaximumConcurrentProvisioningOperationsproperty to 100. In the Custom Properties string, you must set theMaximumConcurrentProvisioningOperationsproperty to a value that aligns with your needs. - Enter
Get-XDAuthentication, which prompts you for your credentials. - Run
$cred = Get-Credential, which might prompt you for solely a Password (or a Name and Password). You might also be prompted for the application ID and associated secret. For connections using role-based authentication, role_based_auth is both the Name and Password. Otherwise, enter the AWS API ID and secret. - Run
set-item -PSPath 'XDHyp:\Connections<connection-name>' -CustomProperties $customProperties -username $cred.username -Securepassword $cred.password. You must set the <connection-name> to the name of the connection. - Enter
dirto verify the updated CustomProperties string.
Configure security groups per network interface
When editing a host connection, you can now configure the maximum number of security groups allowed per elastic network interface (ENI) using a PowerShell command. For information on AWS security groups quota values, see Security groups.
To configure security groups per network interface:
- Open a PowerShell window.
- Run
asnp citrix*to load the Citrix-specific PowerShell modules. - Run
cd xdhyp:\Connections\. - Run
dirto list the connections. -
Run the following PowerShell command to configure security groups per network interface:
Set-HypHypervisorConnectionMetadata -HypervisorConnectionName aws -Name "Citrix_MachineManagement_Options" -Value " AwsMaxENISecurityGroupLimit=<number>" <!--NeedCopy-->Note:
If you do not set a value for
AwsMaxENISecurityGroupLimit, then it takes the default value of 5.
Enable the proxy on an existing connection
- Open a PowerShell window.
-
Run the following commands.
Add-PSSnapin citrix*. cd XDHyp:\Connections\ dir <!--NeedCopy--> - Copy the
CustomPropertiesfrom the connection to a notepad and append property setting<Property xsi:type="StringProperty" Name="UseSystemProxyForHypervisorTrafficOnConnectors" Value="True" />to theCustomPropertiesto enable the proxy. -
In the PowerShell window, assign a variable to the modified custom properties. For example:
$customProperty = '<CustomProperties xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://schemas.citrix.com/2014/xd/machinecreation"> <Property xsi:type="StringProperty" Name="UseSystemProxyForHypervisorTrafficOnConnectors" Value="True" /> </CustomProperties>' <!--NeedCopy--> - Enter
Get-XDAuthentication, which prompts you for your credentials. -
Run
$cred = Get-Credential, which might prompt you for solely a Password (or a Name and Password). You might also be prompted for the application ID and associated secret. For connections using role-based authentication,role_based_authis both the Name and Password. Otherwise, enter the AWS API ID and secret. - Run
set-item -PSPath 'XDHyp:\Connections<connection-name>' -CustomProperties $customProperties -username $cred.username -Securepassword $cred.password. You must set the<connection-name>to the name of the connection. - Enter
dirto verify the updatedCustomPropertiesstring.
Service endpoint URL
Standard zone service endpoint URL
When you use MCS, a new Amazon WorkSpaces Core Managed Instances connection is added with an API key and an API secret. With this information, along with the authenticated account, MCS queries AWS for the supported zones using the AWS DescribeRegions EC2 API call. The query is made using a Workspace Instances Service Endpoint URL https://workspaces-instances.us-east-1.api.aws. Use MCS to select the zone for the connection from the list of supported zones. The preferred AWS service endpoint URL is automatically selected for the zone. However, after you create the service endpoint URL, you can no longer set or modify the URL.
Non-standard service endpoint URL
There can be situations where you might not need the automatically chosen AWS Service Endpoint URL for the connection. For such cases, you can use Citrix Cloud SDK and PowerShell to create a connection with a non-standard service endpoint URL. For example, to create a connection using the service endpoint URL https://ec2.cn-north-1.amazonaws.com.cn:
- Set up the AWS hosted Cloud Connector and ensure that it has connectivity.
-
Run the following PowerShell commands to see the list of Cloud Connectors.
PS C:\> asnp citrix.* PS C:\> Get-XDAuthentication PS C:\> Get-ConfigEdgeServer <!--NeedCopy--> -
Find the ZoneUid from the newly created Cloud Connector and enter it into the following PowerShell commands. Replace the italicized items with the respective values.
PS C:\> $hyp= New-Item -Path xdhyp:\Connections -ZoneUid ZoneUid -Name “My New Connection” -ConnectionType "Custom" -HypervisorAddress @("https://workspaces-instances.$($cloudRegion).api.aws")-PluginId "AmazonWorkSpacesCoreMachineManagerFactory" -UserName “APIkey” -Password “API Secret” -Persist PS C:\> New-BrokerHypervisorConnection -HypHypervisorConnectionUid $hyp. HypervisorConnectionUid <!--NeedCopy--> - Refresh the Hosting tab to verify that the EC2 connection has been created.
- Add a resource location using the new connection.
Required AWS permissions
This section contains the complete list of AWS permissions. Use the complete set of permissions as given in the section for the functionality to work correctly.
Note:
The
iam:PassRolepermission is needed only for using IAM roles for Citrix to manage resources.
Creating a host connection
A new host connection is added using the information obtained from AWS.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ec2:DescribeAvailabilityZones",
"ec2:DescribeSubnets",
"ec2:DescribeVpcs",
"ec2:DescribeRegions",
"workspaces-instances:*"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
<!--NeedCopy-->
Power management of VMs
VMs are powered on or off.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ec2:DescribeInstances",,
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:RebootInstances",
"ec2:DescribeInstanceStatus"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"workspaces-instances:*"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
<!--NeedCopy-->
Creating, updating, or deleting VMs
A machine catalog is created, updated, or deleted with VMs provisioned as AWS instances.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ec2:AttachVolume",
"ec2:AssociateIamInstanceProfile",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CreateImage",
"ec2:CreateLaunchTemplate",
"ec2:CreateSecurityGroup",
"ec2:CreateTags",
"ec2:CreateVolume",
"ec2:DeleteVolume",
"ec2:DescribeAccountAttributes",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeIamInstanceProfileAssociations",
"ec2:DescribeImages",
"ec2:DescribeInstances",
"ec2:DescribeInstanceStatus",
"ec2:DescribeInstanceTypes",
"ec2:DescribeLaunchTemplates",
"ec2:DescribeLaunchTemplateVersions",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeRegions",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSnapshots",
"ec2:DescribeSubnets",
"ec2:DescribeTags",
"ec2:DescribeSpotInstanceRequests",
"ec2:DescribeInstanceCreditSpecifications",
"ec2:DescribeInstanceAttribute",
"ec2:GetLaunchTemplateData",
"ec2:DescribeVolumes",
"ec2:DescribeVpcs",
"ec2:DetachVolume",
"ec2:DisassociateIamInstanceProfile",
"ec2:RunInstances",
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:TerminateInstances"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"ec2:CreateSecurityGroup",
"ec2:DeleteSecurityGroup"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"ebs:StartSnapshot",
"ebs:GetSnapshotBlock",
"ebs:PutSnapshotBlock",
"ebs:CompleteSnapshot",
"ebs:ListSnapshotBlocks",
"ebs:ListChangedBlocks",
"ec2:CreateSnapshot"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"workspaces-instances:*"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
<!--NeedCopy-->
Note:
- The EC2 section related to SecurityGroups is only needed if an Isolation Security Group must be created for the Preparation VM during catalog creation. Once this is done, these permissions are not required.
Direct disk upload and download
The following permissions must be added to the policy:
ebs:StartSnapshotebs:GetSnapshotBlockebs:PutSnapshotBlockebs:CompleteSnapshotebs:ListSnapshotBlocksebs:ListChangedBlocksec2:CreateSnapshotec2:DeleteSnapshotec2:DescribeLaunchTemplates
EBS encryption of created volumes
EBS can auto-encrypt newly created volumes if the AMI is encrypted, or EBS is configured to encrypt all new volumes. However, to implement the functionality, the following permissions must be included in the IAM policy.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kms:CreateGrant",
"kms:Decrypt",
"kms:DescribeKey",
"kms:GenerateDataKeyWithoutPlainText",
"kms:GenerateDataKey",
"kms:ReEncryptTo",
"kms:ReEncryptFrom"
],
"Resource": "*"
}
]
}
<!--NeedCopy-->
Note:
The permissions can be limited to specific keys by including a Resource and Condition block at the discretion of the user. For example, KMS Permissions with Condition:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kms:CreateGrant",
"kms:Decrypt",
"kms:DescribeKey",
"kms:GenerateDataKeyWithoutPlainText",
"kms:GenerateDataKey",
"kms:ReEncryptTo",
"kms:ReEncryptFrom"
],
"Resource": [
"arn:aws:kms:us-east-2:123456789012:key/abcd1234-a123-456d-a12b-a123b4cd56ef"
],
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": true
}
}
}
]
}
<!--NeedCopy-->
The following key policy statement is the entire default key policy for KMS keys that is required to allow the account to use IAM policies to delegate permission for all actions (kms:*) on the KMS key.
{
"Sid": "Enable IAM policies",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:root"
},
"Action": "kms:",
"Resource": ""
}
<!--NeedCopy-->
For more information, see the AWS Key Management Service official documentation.
IAM role-based authentication
The following permissions are added to support role-based authentication.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "arn:aws:iam::*:role/*"
}
]
}
<!--NeedCopy-->
Minimal IAM permissions policy
The following JSON can be used for all currently supported features. You can create host connections, create, update, or delete VMs, and do power management using this policy. The policy can be applied to the users as explained in Define IAM permissions sections or you can also use role-based authentication by selecting Use IAM role when configuring a host connection.
Important:
To use IAM roles for Citrix to manage resources, first configure the desired IAM role on the cloud connector ec2 instance when setting up the cloud connector. Using Citrix Studio, add the hosting connection and select the Use IAM role option. A hosting connection with these settings then uses role-based authentication.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ec2:AttachVolume",
"ec2:AssociateIamInstanceProfile",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CreateImage",
"ec2:CreateLaunchTemplate",
"ec2:CreateNetworkInterface",
"ec2:CreateTags",
"ec2:CreateVolume",
"ec2:DeleteLaunchTemplate",
"ec2:DeleteNetworkInterface",
"ec2:DeleteSecurityGroup",
"ec2:DeleteSnapshot",
"ec2:DeleteTags",
"ec2:DeleteVolume",
"ec2:DeregisterImage",
"ec2:DescribeAccountAttributes",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeIamInstanceProfileAssociations",
"ec2:DescribeImages",
"ec2:DescribeInstances",
"ec2:DescribeInstanceTypes",
"ec2:DescribeInstanceStatus",
"ec2:DescribeLaunchTemplates",
"ec2:DescribeLaunchTemplateVersions",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeRegions",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSnapshots",
"ec2:DescribeSubnets",
"ec2:DescribeTags",
"ec2:DescribeSpotInstanceRequests",
"ec2:DescribeInstanceCreditSpecifications",
"ec2:DescribeInstanceAttribute",
"ec2:GetLaunchTemplateData",
"ec2:DescribeVolumes",
"ec2:DescribeVpcs",
"ec2:DetachVolume",
"ec2:DisassociateIamInstanceProfile",
"ec2:RebootInstances",
"ec2:RunInstances",
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:TerminateInstances"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"ec2:CreateSecurityGroup",
"ec2:DeleteSecurityGroup"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"ebs:StartSnapshot",
"ebs:GetSnapshotBlock",
"ebs:PutSnapshotBlock",
"ebs:CompleteSnapshot",
"ebs:ListSnapshotBlocks",
"ebs:ListChangedBlocks",
"ec2:CreateSnapshot"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"kms:CreateGrant",
"kms:Decrypt",
"kms:DescribeKey",
"kms:GenerateDataKeyWithoutPlainText",
"kms:GenerateDataKey",
"kms:ReEncryptTo",
"kms:ReEncryptFrom"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "arn:aws:iam::*:role/*"
},
{
"Effect": "Allow",
"Action": [
"workspaces-instances:*"
],
"Resource": "*"
}
]
}
<!--NeedCopy-->
Note:
- The EC2 section related to SecurityGroups is only needed if an Isolation Security Group must be created for the Preparation VM during catalog creation. Once this is done, these permissions are not required.
- The KMS section is only required when using EBS volume encryption.
- The
iam:PassRolepermission section is needed only for using IAM roles for Citrix to manage resources.- Specific resource-level permissions can be added instead of full access based on your requirements and environment. Refer to AWS documents Demystifying EC2 Resource-Level Permissions and Access management for AWS resources for more details.
- Use
ec2:CreateNetworkInterfaceandec2:DeleteNetworkInterfacepermissions only if you are using the volume worker method.
Where to go next
- For creating prepared images, see Create a prepared image for Amazon WorkSpaces Core Managed Instances
More information
- Create and manage connections and resources
- AWS virtualization environments
- For Amazon WorkSpaces Core GitHub PowerShell examples, see citrix-mcs-sdk-samples-Amazon WorkSpaces Core.