# Create a Managed Access A Managed Access contains the necessary information to allow the service to access your AWS account to perform the necessary operations to deploy the Alluxio cluster. Because all resources are created within the user's AWS account, this sequence of steps must be completed before defining the Alluxio cluster. Learn more about the [split plane architecture](https://documentation.alluxio.io/rad/architecture-and-security/split-plane-architecture) to understand the purpose of this step. {% hint style="info" %} View the following tutorial video if it's your first time {% endhint %} {% embed url="" %}

Click the Managed Access link in the left navigation bar to view the current set of Managed Access entries. Click the Add button to create a new entry. ## Step 1: Set AWS account ID

The first piece of information needed is your 12 digit AWS account ID. After logging into the AWS web console, you can find and copy this ID from the dropdown menu at the upper right. ## Step 2: Create IAM policy

Next we need to create an IAM policy that grants specific permissions; the policy definition is represented as a JSON document. Follow the instructions to go to the [Policies page](https://console.aws.amazon.com/iam/home#/policies). Click on Create Policy.

Click on the JSON button to switch the editor to an interactive text editor.

From the RAD UI, click on Copy JSON to copy the policy text to clipboard. On the AWS console, replace the placeholder text by pasting the clipboard contents. Click Next to continue.

On the final screen, provide a policy name and click Create Policy to complete this step. ## Step 3: Create IAM role

Finally we need to create an IAM role with the previously created policy attached. Follow the instructions to go to the [Roles page](https://console.aws.amazon.com/iam/home#/roles) and create a new role.

Click on `AWS account` as the Trusted entity type. In the below section that subsequently appears, select `Another AWS account` and paste the account ID `767397899727` > The AWS account ID to set as the "Another AWS account" is our management AWS account we are using to issue the deployment commands to your AWS account.

Click on the checkbox for Require external ID and copy the external ID from the RAD UI. Click Next to proceed to the next section. > The [external ID](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html) is a recommended setting when delegating access to another AWS account.

Attach the previously created policy and click Next to proceed.

Provide a role name and click Create Role to complete this step. ## Create and validate managed access On the overview page of the IAM roles, search for and click on the newly created role.

Complete the creation of a Managed Access by providing * The ARN of the newly created IAM role * (already set) The external ID set for the IAM role * The AWS region to deploy the cluster in (defaults to `us-east-1`) * (For advanced users) Optionally, copy your SSH public key; used to grant SSH access to the cluster instances after deployment After confirming the creation of the Managed Access, it will appear in the table of Managed Access entries. {% hint style="info" %} The managed access creation only succeeds after we are able to validate the IAM role by successfully authenticating to AWS with it. If the operation fails, double check that the AWS account id in the role definition is `767397899727`and the External Id matches the one provided by the RAD UI. This information is found under the Trust relationships tab when viewing the details of the IAM role. Note it can also take a few minutes for AWS to recognize the IAM role, especially if updating an existing role as opposed to creating a new one. If the information is correct but continues to fail to validate, wait a few minutes before trying again. {% endhint %}