Creating an instance

Note

You can create up to 10 instances within an AWS account. The 10 instances include active and initializing instances. If you've already activated IAM Identity Center (successor to AWS Single Sign-On), you must create your AWS Supply Chain instance in the same AWS Region where you've activated IAM Identity Center. AWS Supply Chain doesn't support IAM Identity Center calls across Regions.

To create an AWS Supply Chain instance, follow these steps.

Note

Only the AWS Management Console administrator can create an instance. The AWS Management Console administrator who creates the AWS Supply Chain instance should have all permissions listed under Using the AWS Supply Chain console. This administrator should invite an IAM user as a AWS Supply Chain administrator to manage AWS Supply Chain.

1. Open the AWS Supply Chain console at https://console.aws.amazon.com/scn/home.

2. If necessary, change the AWS Region. In the bar at the top of the console window, open the Select a Region list and choose a Region. For more information about Regions, see Regions and endpoints in the IAM User Guide. Also, see Regions and endpoints in the Amazon Web Services General Reference.

   Note

   AWS Supply Chain is only supported in US East (N. Virginia), US West (Oregon), Europe (Frankfurt) Asia Pacific (Sydney) Region, and Europe (Ireland) Region.

   AWS Supply Chain.

3. On the AWS Supply Chain dashboard, choose Create instance.

4. On the Instance properties page, enter the following information:

   • AWS Region – Choose the Region where you have activated IAM Identity Center. To change the Region, choose Select a Region from the dropdown menu at the top right. You can't change the Region after you create the instance.

   • Name – Enter the instance name.

   • (Optional) Description – Enter a description for the instance.

5. Under AWS KMS Key, enter your KMS key and update your KMS key policy with the following:

   Note

   As an application administrator, when you add users to the AWS Supply Chain instance, they have access to the AWS KMS key. You can manage the user permissions to add or remove users. For more information on user permissions, see User permission roles.

   Note

   Replace YourAccountNumber, Region, YourInstanceID, and YourKmsKeyArn with your AWS account, AWS Region, AWS Supply Chain Instance ID, and the AWS KMS Key.

   
       
       {
       "Version": "2012-10-17",
       "Statement": [{
               "Sid": "Enable IAM User Permissions",
               "Effect": "Allow",
               "Principal": {
                   "AWS": "arn:aws:iam::YourAccountNumber:root"
               },
               "Action": "kms:*",
               "Resource": "*"
           },
           {
               "Sid": "Allow access through SecretManager for all principals in the account that are authorized to use SecretManager",
               "Effect": "Allow",
               "Principal": {
                   "AWS": "*"
               },
               "Action": [
                   "kms:Encrypt",
                   "kms:Decrypt",
                   "kms:ReEncrypt*",
                   "kms:GenerateDataKey*",
                   "kms:CreateGrant",
                   "kms:DescribeKey",
                   "kms:GenerateDataKeyWithoutPlaintext",
                   "kms:ReEncryptFrom",
                   "kms:ReEncryptTo"
               ],
               "Resource": "*",
               "Condition": {
                   "StringEquals": {
                       "kms:ViaService": "secretsmanager.Region.amazonaws.com",
                       "kms:CallerAccount": "YourAccountNumber"
                   }
                    
               }
           }
       ]
   }
       

   If you don't have a KMS key, choose Create to go to the AWS KMS console, where you can create this key. Use the previous KMS key policy. For detailed information on how to create KMS keys, see Creating keys in the AWS Key Management Service Developer Guide.

   If you plan to use an S/4 Hana data connection, make sure that the KMS key that you provided has the aws-supply-chain-access tag with an associated Value of true.

6. (Optional) Under Instance tags, choose Add new tag to assign a tag for your instance. You can use these tags to identify your instance. For information on tags, see Creating tags.

7. Choose Create instance.

   It takes approximately 2 to 3 minutes for the AWS Supply Chain instance to be created. Once the instance is created, the Status field on the AWS Supply Chain dashboard shows as Active.

8. Once your AWS Supply Chain instance is created, update your KMS policy to allow AWS Supply Chain to access your AWS KMS key.

   Note

   Replace YourInstanceID with your AWS Supply Chain instance ID. You can find your instance ID on the AWS Supply Chain console dashboard.

    
           {
       "Sid": "Allow AWS Supply Chain to access the AWS KMS Key",
       "Effect": "Allow",
       "Principal": {
           "AWS": "arn:aws:iam::YourAccountNumber:role/service-role/scn-instance-role-YourInstanceID"
       },
       "Action": [
           "kms:Encrypt",
           "kms:Decrypt",
           "kms:GenerateDataKey"
       ],
       "Resource": "*"
   },            
   {
       "Sid": "Enable ASC to backfill KMS permissions",
       "Effect": "Allow",
       "Principal": {
           "Service": "scn.Region.amazonaws.com"
       },
       "Action": [
           "kms:Encrypt",
           "kms:GenerateDataKeyWithoutPlaintext",
           "kms:ReEncryptFrom",
           "kms:ReEncryptTo",
           "kms:Decrypt",
           "kms:GenerateDataKey",
           "kms:DescribeKey",
           "kms:CreateGrant",
           "kms:RetireGrant"
       ],
       "Resource":"YourKmsKeyArn"
   }