This section guides you through management of AWS IAM roles needed for operating Viz Now with your AWS account.

Secure, reliable operations are ensured by first clarifying permissions and adopting these best practices.

Overview

Viz Now requires two IAM roles:

IAM Role Name

Purpose

Used By

viz-now-deploy-infra

Provisions infrastructure via Terraform

Deployment Agent

viz-now-manage

Manages deployed instances

Control Plane

These roles are assumed using AWS STS (Security Token Service), and their ARNs are stored securely in Viz Now.

Prerequisites

  • An active AWS account.

  • IAM Administrator access to AWS.

  • Administrator access to the Viz Now platform.

Update Existing IAM Roles

If your AWS account already has Viz Now IAM roles defined, follow these guidelines to update them.

Note: If your AWS account has no Viz Now IAM roles defined, first see section Creating First IAM Role.

IAM Roles

You will update both the Deploy and Management IAM roles and their associated inline policies.

To update an IAM role in Viz Now

This procedure assumes that your Viz Now user details are already setup in AWS. See the Note above.

  1. Log in to your AWS Management Console with IAM Administrator permissions.
    Keep this tab active in your browser.

  2. Log in to the Viz Now and navigate to the panel Organization > Infrastructure tab > Manage IAM Roles.
    You’ll see a screen like the one below, where you can define the IAM Role ARNs for the Deploy and Control Plane functionality.

    i1.png

    Keep this tab active in your browser.

    Deploy role

  3. Update the inline policy:

    1. Switch to the AWS console IAM > Roles and from the Permissions tab, you can search for required inline policy.
      This is the same as in the Viz Now UI:

      roleCopy.pngimage-20250516-143808.png

      Click it to open.

    2. Go back to Viz Now and in the Manage IAM Roles panel, next to Deploy Role, click the Question mark icon image-20250513-065709.png.

      pol99.png

      and then Copy inline policy.

      dRole.png

      (This saves the policy details to the clipboard).

    3. Switch back to the AWS Console Policy editor and click the JSON button.

      image-20250516-145917.png

    4. In the Policy editor, paste-in the inline policy from the clipboard.

      JSON2.png

    5. Click Next and then click Save changes.

    6. A confirmation message is displayed.

      image-20250516-150538.png


      Management Role
      You now repeat the same steps for the Management role.

  4. In Viz Now, next to the input field Management Role, click the Question mark icon image-20250513-065709.png.

    ManRo1.png

    1. From the pop-up, click Copy inline policy.

      image-20250516-150844.png

    2. In the AWS Console, search for the required manage role, in this example, viz-now-manage, and click on it to display a Summary page.

      image-20250516-152830.png

    3. Select the Permissions tab and then its contained policy.
      The Policy editor page opens:

      image-20250516-155850.png

    4. Paste-in the inline policy that you copied to your clipboard, to update the JSON code.
      For an example, see the code below.

    5. Click Save changes.

  5. Validate IAM Role in Viz Now:

    1. Click Cancel.

    2. In Viz Now Manage IAM Roles panel, click Validate Roles.

      valRo.png

    3. A confirmation message is displayed.

      conRo.png

Permissions Explained

Deploy Role (viz-now-deploy-infra)

The Deploy role grants broad permissions to allow Spacelift to deploy infrastructure using Terraform. All permissions apply to all resources ("Resource": "*").

Permission

Purpose

Resource Scope

iam:*

Manages IAM roles/users

Scope to specific roles

s3:*

Manages S3 buckets

Scope to specific buckets

kms:*

Manages encryption keys

Scope to specific keys

route53:*

Configures DNS

Scope to specific zones

sts:*

Assumes roles

Necessary for Spacelift

ec2:*

Provisions EC2 resources

Scope to specific VPCs

tag:*

Applies tags

All (*)

logs:*

Manages CloudWatch logs

Scope to specific log groups

Manage Role (viz-now-manage)

The Manage role enables Viz Now to perform operational tasks on deployed instances. Permissions are scoped to specific resources whenever possible.

Key Tasks Enabled by Manage Role

  • Increase service quotas for AWS resources.

  • Reserve specific EC2 instance types.

  • Create S3 buckets for file storage.

  • Manage security groups for IP-based access.

  • Handle VPC peering.

  • Start, stop, or destroy instances.

  • Manage MediaConnect flows for streaming.

Permission

Purpose

Resource Scope

iam:*

Manages IAM configurations

All (*)

kms:*

Manages encryption keys

All (*)

route53:*

Updates DNS

All (*)

servicequotas:*

Increases quotas

All (*)

s3:*

Manages S3 buckets

All (*)

ec2:*

Manages instances

All (*)

tag:*

Manages tags

All (*)

sts:*

Assumes roles

All (*)

logs:*

Manages CloudWatch logs

All (*)

ssm:SendCommand

Executes commands

SSM documents & tagged EC2 instances (VizNow=true)

ssm:ListCommandInvocations, etc.

Checks command status

All (*)

ssm:ListInventoryEntries, etc.

Retrieves instance details

Tagged resources (VizNow=true)

mediaconnect:CreateFlow

Creates MediaConnect flows

All (*)

mediaconnect:* (multiple)

Manages MediaConnect flows

Flows named VizNow-*

mediaconnect:ListFlows, etc.

Lists flows

All (*)

Additional Resources