Roadrunner SMB

Identity and Permissions

Last Updated: 2026-06-09

Planning guide for the three identities Roadrunner SMB™ requires, AWS® deployer IAM tiers, and Active Directory® delegation. All guidance is self-service in published documentation.

In this guide:

Core framing

Identity 1 builds it. The AWS Deployer launches the Marketplace CloudFormation® stack (install-time only).

Identity 3 runs it day-to-day. An Active Directory administrator joins the domain once and manages the appliance through the Admin UI.

Identity 2 rescues it. The local Appliance Owner account (rrsmb-admin) provides break-glass Admin UI access when AD is unreachable.

These are three separate trust domains with different lifetimes. None requires superuser privileges by default — scoped alternatives exist for production.

See also: Quick Start — Identities and permissions (planning) · Deployment Guide — IAM planning · Security overview

Identity overview

Three identity domains  separate trust, separate credentials Identity 1 builds it � Identity 3 runs it � Identity 2 rescues it when AD is down Install time Runtime (ongoing) 1 � AWS Deployer IAM user / role Marketplace subscribe CloudFormation launch RRSMB stack ECS � EFS � NLB � DynamoDB parent + nested CFN Stack-created runtime IAM  not your deployer TaskRole � TaskExecutionRole � InstanceRole Appliance uses these at runtime; deployer creds are not used day-to-day 3 � AD Admin Domain join FTS � once net ads join Day-to-day admin Admin UI � Settings SMB client auth (AD) Active Directory Computer object RRSMB-NODE<n> Users � groups � ACLs 2 � Appliance Owner rrsmb-admin (local) Break-glass Admin UI only � not SMB � not AWS AWS IAM Active Directory Appliance local

What sits in each domain

Identity Credentials live in Resources and systems touched Active when Not used for
1 — AWS Deployer AWS IAM (user or role) AWS Marketplace, CloudFormation, IAM PassRole, stack resources at create/update Subscribe + stack launch/update Admin UI login, SMB, day-to-day appliance ops
2 — Appliance Owner Appliance local store (rrsmb-admin) Admin UI (HTTPS) only AD unreachable (break-glass) SMB file shares, AWS API calls, domain join
3 — AD Administrator Active Directory Domain controllers, computer objects, Admin UI, SMB client authentication After deploy — join once, then ongoing CloudFormation launch, AWS account administration

Trust separation: The AWS Deployer is not the appliance runtime identity. The stack creates least-privilege IAM roles in your account (TaskRole, TaskExecutionRole, InstanceRole). Roadrunner SMB receives no standing AWS credentials from you at runtime — see the dashed runtime IAM box in the diagram above.

Deployer vs runtime IAM

When you launch from AWS Marketplace, your IAM principal (Identity 1) calls CloudFormation. CloudFormation creates resources and runtime roles the appliance uses after deploy.

Phase Principal Creates / uses
Install Your IAM deployer Parent + nested CloudFormation stacks
Runtime Stack-created roles ECS tasks, EC2 hosts, auto-update, metering

Install-time flow: Deployer → CloudFormation (CreateStack, PassRole) → stack resources + runtime IAM roles.

Runtime (not the deployer): TaskExecutionRole (image pull, logs, secrets) · TaskRole (DynamoDB®, EFS, auto-update, metering) · InstanceRole (ECS agent, SSM).

Launch capabilities

You must acknowledge at stack create:

  • IAM resources with custom names — the nested template creates named IAM roles.
  • CAPABILITY_AUTO_EXPAND — the launcher creates a nested inner stack.

See Deployment Guide — Marketplace launch and AWS Marketplace deployment summary.

Stack-created roles (runtime — not the deployer)

Role Purpose
TaskExecutionRole Pull container images from ECR, write logs, read Secrets Manager (bootstrap secret)
TaskRole DynamoDB ACL/billing, EFS access, CloudFormation UpdateStack (auto-update), Marketplace MeterUsage
InstanceRole ECS agent on EC2, SSM Session Manager access to hosts
InstanceProfile Attaches InstanceRole to cluster EC2 instances

Evaluation vs secure production

Using broad admin credentials for a proof-of-concept is a customer choice — common and supported for time-boxed evaluation. For audited production environments, use scoped identities below.

Posture AWS Deployer Domain join Day-to-day Admin UI When to use
Quick evaluation AdministratorAccess (or org equivalent) + Marketplace subscribe Domain Admin or any account that can join machines Domain Admin POC, lab, trial
Secure production Tier 2 or Tier 3 deployer policy (below) Dedicated service account, OU-scoped delegation Dedicated AD security group; Domain Admins disabled in Settings Enterprise, audited environments

Tradeoffs of eval shortcuts: larger blast radius, harder credential rotation, and audit findings. Production guidance below minimizes privilege without requiring superuser for any identity.

Identity 1 — AWS Deployer

Three tiers — pick based on your security posture.

Tier 1 — Evaluation (simplest)

Sufficient for POC; not the production requirement.

Tier 2 — Pragmatic

  • AWSMarketplaceManageSubscriptions (subscribe/unsubscribe)
  • Organization-standard CloudFormation deploy role with iam:PassRole for stack-created roles
  • Acknowledge nested stack + named IAM capabilities at launch

Tier 3 — Enterprise minimum

For security-conscious deployments:

  1. Deployer permission matrix — template-derived CFN resources → AWS services → typical deployer actions
  2. AWS services used by the nested stack: CloudFormation, S3, IAM, Lambda, ECS, EC2, Auto Scaling, Elastic Load Balancing, EFS, DynamoDB, Secrets Manager, CloudWatch Logs
  3. Self-service CloudTrail procedure — derive and prove a scoped policy in your lab account
  4. Validated deployer JSON — when published for your release, version-tagged alongside the permission matrix. Until then, use the matrix and CloudTrail procedure.

Enterprise IAM teams may also reference AWS Prescriptive Guidance — least privilege for CloudFormation.

Self-service CloudTrail capture procedure

Use this to build and prove a least-privilege deployer policy:

  1. Enable CloudTrail in a non-production AWS account (management events, all regions used for deploy).
  2. Deploy Roadrunner SMB once using a principal you will scope (or Tier 1 for capture-only, then replace).
  3. Filter CloudTrail event history to your deployer principal ARN and the stack-creation time window (parent + nested stack creates/updates).
  4. Collect eventName values — group by service (cloudformation:*, iam:*, ec2:*, etc.).
  5. Draft an IAM policy from captured actions; include iam:PassRole scoped to roles the template creates.
  6. Acceptance test: delete the stack (or use a fresh account), re-deploy using only the scoped policy (not admin). Successful CREATE_COMPLETE on parent and nested stacks proves completeness.
  7. Maintain: when Roadrunner SMB releases update CloudFormation templates, repeat capture or apply the published validated JSON for that release.

Cross-check captured actions against the Deployer permission matrix.

Identity 2 — Appliance Owner (break-glass)

Set during First-Time Setup (wizard step Owner password, after domain join).

Attribute Value
Username Fixed: rrsmb-admin (not operator-chosen)
Password Minimum 12 characters; confirm in wizard
Admin UI access Full Admin UI and API administration
SMB file access Cannot authenticate to SMB shares — local account is Admin UI only

Best practices

  • Store the password in a password vault; treat as break-glass only
  • Do not use for routine administration (use Identity 3)
  • Document recovery if the password is lost while AD is also unavailable

See also: Admin Guide — Accessing the Admin UI · FAQ — Appliance Owner

Identity 3 — Active Directory Administrator

Two sub-roles: one-time domain join and ongoing appliance administration.

3a — Domain-join account (one-time, FTS Step 3)

Domain Admin is not required. Security teams can delegate minimum rights on an organizational unit (OU) or pre-staged computer object.

Default Roadrunner SMB behavior:

  • Join uses standard Samba net ads join
  • Creates a computer object in AD (or re-joins an existing object with matching name)
  • Computer name auto-allocated as RRSMB-NODE<n> unless overridden
  • Optional OU when specified in the join step
  • Post-join, computer description set to Roadrunner SMB Appliance

Enterprise best practice — pre-staged computer object: Microsoft supports delegating permissions on a pre-created computer object. This path is recommended for production but has not been end-to-end validated by Roadrunner SMB — validate in your lab.

Delegation checklists: AD domain join delegation

Network prerequisites (appliance subnet → domain controllers): Kerberos 88, LDAP 389 / LDAPS 636, DNS 53, SMB/RPC 445. See VPC Prerequisites — Active Directory.

Microsoft reference: Active Directory domain join permissions.

3b — Appliance administrator (ongoing)

After FTS Claim Appliance Admin, Admin UI access is granted through:

Path Default Production recommendation
Domain Admins Enabled by default after FTS claim Disable in Settings; use a dedicated group instead
Custom admin AD group Optional (AdminAdGroup in Settings) Recommended — e.g. CORP\RRSMB Admins
Registered appliance admin User SID recorded at FTS claim Individual admin; manage via Settings

Important: During First-Time Setup only, domain join clears the registered admin registry so you can claim admin again if FTS is retried. Re-joining the domain from Settings after FTS does not automatically remove registered admins — manage ongoing access via Settings.

Configure Domain Admins and admin group: Admin Guide — Settings.

Security reviewer checklist

  • Three identities understood; deployer credentials not used at appliance runtime
  • Eval posture documented if using Tier 1 / Domain Admin shortcuts
  • Production: Tier 2 or Tier 3 deployer + permission matrix
  • Production: delegated AD join account (not Domain Admin) per delegation guide
  • Production: Domain Admins disabled in Settings; dedicated admin group configured
  • Appliance Owner password vaulted; break-glass procedure documented
  • None of the three identities requires superuser by default
Topic Document
Planning summary Quick Start
Deployer permission matrix Deployer permission matrix
AD delegation AD domain join delegation
Deployment & CFT Deployment Guide
Day-to-day admin Admin Guide
Security summary Security overview
FAQ FAQ — Security and permissions

Home · Documentation · Quick Start · Release Notes · Support

© 2026 Roadrunner SMB, LLC

Roadrunner SMB is an independent software project and is not affiliated with, endorsed by, or sponsored by Amazon Web Services, Inc.
Amazon Web Services, AWS, and Amazon EFS are trademarks of Amazon.com, Inc. or its affiliates.
Microsoft, Windows, and Active Directory are trademarks of the Microsoft Corporation in the United States and/or other countries.
Citrix and SoftNAS are registered trademarks of their respective owners.
Roadrunner SMB and Elastic SMB are trademarks of Roadrunner SMB, LLC. All rights reserved.