Update your permissions so that the Client Portal can access your AWS account.
This topic only applies to the AWS accounts that are added using the Add Cloud Account option on the Cloud Tenant Setup page.
You must have an advanced understanding of AWS, CloudFormation, and IAM policies and roles to execute these steps.
Follow these steps to update your AWS account permissions:
Sign in to the AWS Console as a user with permission to modify IAM resources.
In the AWS console, select Services to open the list of services. Under the Management and Governance group, select CloudFormation.
Locate the Stack. In the CloudFormation console, select the correct region at the top right corner of the screen. You may need to cycle through the region until you find the stack (typically named, PyraCloud-Onboarding).
Select the stack and then select Update.
On the Update Stack page, do the following:
Select the Replace Current Template option.
Select Amazon S3 URL and add the following URL: https://iepapp0168sda.s3-eu-west-1.amazonaws.com/pyracloud_onboarding.json.
Select Next.
On the Specify stack details page, leave the ExternalId, PyraCloudProcessId, and PyraCloudTenantId fields as they are. Select Next.
On the Configure stack options page, leave all values as they are. Select Next.
On the Review PyraCloud-Onboarding page, do the following:
Review the changes that will be made to the stack.
Select the I acknowledge that AWS CloudFormation might create IAM resources with custom names checkbox.
Select Update Stack.
Refresh the page until the stack moves from the UPDATE_IN_PROGRESS
status to UPDATE_COMPLETE
.
After the process is completed, it might take up to 24 hours for your AWS account to become healthy.
The following permissions are required to view the AWS Recommendations from AWS Trusted Advisor.
support:*
trustedadvisor:Describe*
Follow Updating permissions to re-onboard your AWS account with these permissions.
If you're unable to read resources, that is, you are missing read permissions for AWS resources, follow the Updating permissions section.
If you're unable to tag resources, that is, you are missing write-back permissions for AWS resources), follow these steps:
Navigate to IAM within the AWS portal and locate PyraCloudRole
.
Navigate to the details of the role and ensure that ReadWritePolicy
is attached.
If the role is not attached, select Attach policies. Type PyraCloudReadWrite policy in the search box and then select the checkbox and select Attach policy.
The role is attached and the write-back permissions are added. To confirm, check the Resources module by syncing the relevant AWS accounts.
Follow this topic to add your AWS cloud account to the Client Portal.
Before starting the activation, make sure that you have the following details:
Account Information - You must have your AWS account number. You can view your account number in the AWS Management Console.
Permissions - You must have permission to execute the CloudFormation script that will create an Identity and Access Management (IAM) role in the account to be activated.
If your company uses AWS Organizations and this is the first account you're activating, we recommend you activate your master account first.
If you start by activating a linked account, the Client Portal will discover your master account. Then you, or another user in your organization, will be required to activate the master account.
However, if you start by activating your master account, the Client Portal will discover your linked accounts first and provide the option to activate them individually, after the master account is activated.
Follow these steps to add your AWS cloud account:
From the navigation menu, go to Cloud tools > Cloud tenant setup.
On the Cloud tenant setup page, select Add Cloud Account and choose Amazon Web Services as your cloud service provider.
Provide the following details:
A name for your AWS account.
Your AWS account ID.
Choose the region where you want to create the CloudFormation stack.
Select Add Cloud Account. The login page for the AWS Console opens.
Your pop-up blocker might prevent the new browser tab from opening. Ensure that the pop-up blocker is turned off. If required, enable pop-ups and select Add Cloud Account again.
Sign in to the AWS Console and perform the following steps:
On the Create Stack page, review the settings that the Client Portal will use to activate your AWS account.
Select the I acknowledge that AWS CloudFormation might create IAM resources with custom names checkbox.
Select Create. The CloudFormation script will start executing.
When the activation status changes from CREATE_IN_PROGRESS
to CREATE_COMPLETE
, navigate to the Client Portal, and refresh the page. Your account is activated.
If you use AWS Organizations and have linked accounts, these accounts will be shown as Not Activated in the list. See the next section for information on how to activate linked accounts.
Many organizations have several AWS accounts in their AWS Organizations hierarchy. In some cases, it's not the same person who owns each of those accounts. Therefore, each account owner must activate the account they own.
Follow these steps to activate linked accounts:
From the navigation menu, navigate to Cloud tools > Cloud tenant setup.
On the Cloud tenant setup page, expand the master AWS account containing the linked accounts.
Select Activate next to the linked account that you want to activate.
Perform the same activation steps as for the master account. Follow steps 3-6 in Adding your AWS cloud account.
You can select multiple linked accounts and start the activation process automatically for all accounts.
To automate multiple linked account activations, all selected accounts must have some basic permissions. These permissions are automatically applied if the linked account has been created as a part of an organization.
If a linked account hasn’t been created as a part of an organization, but instead has only been linked to it, you must manually grant access to the OrganizationAccountAccessRole
with the cloudFormation:CreateStack
permission to activate that account automatically.
The process for activating multiple linked accounts is similar to the process for single account activation, except that AssumeRole
permission is granted to the master account. To handle the process automatically for multiple accounts, without prompting the user for additional settings for each account, additional AssumeRole
permission is applied. This is only needed at activation. Granting this permission is done using a similar approach to single account activation. It does this using CloudFormation, SNS, and Lambda by deploying new AWS resources to handle this process.
Follow these steps to activate multiple linked accounts automatically:
On the Cloud tenant setup page, expand the AWS account containing the linked accounts you want to add.
Select the checkbox next to each linked account you want to activate.
Select Activate Selected.
The Client Portal works in a read-only mode after you onboard your AWS account for the first time.
It means that the Tag and Resource Manager feature can import your resources and tags from AWS, but it cannot synchronize any tag changes you make in the Client Portal back to AWS.
If you would like Tag and Resource Manager to synchronize tags back to AWS, you must change the level of access the Client Portal has for your AWS account.
Follow these steps to change the level of access:
On the Cloud Account Setup page, expand the AWS account and select Change Access.
In the Change PyraCloud Access Level, choose the access level:
Sync resources only, no tags – write back of tags disabled: Tag and Resource Manager will download your resources to the Client Portal without the tags currently assigned in AWS. Any changes to tags will be stored in the Client Portal only. This setting requires read-only access to your AWS account and will not make any changes to resources or tags in your AWS account.
Sync resources and tags – write back of tags disabled: Tag and Resource Manager will download your resources to the Client Portal, including the tags currently assigned in AWS. Any changes to tags will be stored in the Client Portal only. Any tags assigned to resources in AWS will overwrite the tags for the corresponding resource in the Client Portal. This setting requires read-only access to your AWS account and will not make any changes to resources or tags in your AWS account.
Sync resources and tags – write back of tags enabled: Tag and Resource Manager will download your resources to the Client Portal, including the tags currently assigned in AWS. Any changes to tags will be synchronized back to your resources in AWS. This setting requires read-write access to your AWS account and will only make changes to tags.
Select Change.
The Recommendations module downloads recommendations from AWS Cost Explorer, which includes Reserved Instance purchase recommendations for Amazon EC2, Amazon RDS, ElastiCache, Amazon ES, and Amazon Redshift.
By default, the Enable sync with AWS Cost Explorer to see AWS Recommendations setting is enabled in the Client Portal. It means that Client Portal will download your account's AWS Cost Explorer recommendations.
Follow these steps to disable this setting:
On the Cloud Tenant setup page, navigate to the AWS account and select Change Access from the Action column.
In Change PyraCloud Access Level, choose the access level and select Change.
Select Enable sync with AWS Cost Explorer to see AWS Recommendations in PyraCloud.
Select Change.
If you're taking advantage of AWS’ EDP you can view your commitment amounts in the Client Portal.
The portal displays your spending against your commitment so that you can track and plan for upcoming spend. To view your commitment amounts, contact our Support team.
Configure your AWS account so that it's ready for integration with the Client Portal.
Follow the steps in this topic only if you're instructed to do so by SoftwareOne. Following these steps without assistance from SoftwareOne will result in your AWS account not being fully integrated with the Client Portal.
Before configuring, ensure that you have a random external ID in the pyracloud:aws:extid:{16 random alphanumeric characters}
format. For example, pyracloud:aws:extid:13kcy2czfja01dfx
. You can create a random string using a string generator.
Once generated, make a note of your external ID. You'll need to share the ID with your SoftwareOne representative.
Follow these steps to execute the script:
Sign in to the AWS console as a user with permission to modify IAM resources and execute CloudFormation scripts.
Navigate to CloudFormation.
In the AWS console, select Services > Management & Governance > CloudFormation.
In the upper-right corner of the CloudFormation page, select the region where you wish to execute the CloudFormation script.
Select Create stack and follow these steps:
In Prerequisite – Prepare template, select Template is ready.
In Specify template, select Amazon S3 URL and enter the following URL: https://iepapp0168sda.s3-eu-west-1.amazonaws.com/pyracloud_onboarding.json
Select Next.
Complete the Specify stack details page as follows:
Enter the name of the stack. The recommended stack name is PyraCloud-Onboarding
. If you don't use this recommended name, make a note of the name you use and provide it along with the random external ID to SoftwareOne.
Enter the external ID that you generated and the value of the empty GUID as 00000000-0000-0000-0000-000000000000
.
Select Next.
On the Configure stack options page, no additional settings are required. Select Next.
Review the settings associated with the stack and select the I acknowledge that AWS CloudFormation might create IAM resources with custom names check box.
Select Create stack.
After you select Create stack, the following page is displayed. To refresh the progress of the stack, select the refresh icon.
Wait for the status to change to CREATE_COMPLETE
.
If AWS Organizations is enabled, the following steps are only required in the master account. You don't have to perform these steps for a linked account.
If AWS Organizations is not enabled, perform the following steps.
In the AWS console, click the Services menu item to open the list of services. Under the Storage group click the S3 item.
Click Create bucket.
Complete the Name and region page as follows:
In the Name and region section, under the Bucket name heading, enter a unique name for the bucket. The recommended value for this is pyracloud.{account number}
. For example, pyracloud.123456789012
. Make a note of this name to share with SoftwareOne.
In the Name and region section, under the Region heading, select the region where you want to create the bucket. Make a note of this region to share with SoftwareOne.
Select Next.
On the Configure options page, leave the values as default.
Select Next.
On the Set Permissions page, leave the values as default.
Select Next.
On the Review page, review the new bucket settings. Select Create bucket.
In the AWS console, select the account menu item at the top right. Select My Billing Dashboard.
In the left navigation menu, select Cost & Usage Reports and select Create report.
Complete the Report content page as follows:
Under the Report name – required heading, enter a name for the report. The recommended value for this is “PyraCloudCostAndUsage”. Make a note of this name to share with SoftwareONE.
Under the Additional report details heading, select the Include resource IDs checkbox.
Under the Data refresh settings heading, select the Automatically refresh your Cost & Usage Report when charges are detected for previous months with closed bills checkbox.
Click Next.
Complete the Delivery options page:
Under the S3 bucket – required heading, select Configure.
On Step 1 of 2: Configure S3 Bucket, on the left side, Select existing bucket created above from the drop-down. Click Next.
On Step 2 of 2: Verify policy, check the I have confirmed that this policy is correct checkbox. Click Save.
In Report path prefix, enter the same value as the Report name field, for example, PyraCloudCostAndUsage
). This value must be the same as the Report name value.
Choose Time granularity as Daily.
Choose Create new report version.
In Enable report data integration for, clear all options.
Choose the Compression type as GZIP.
Select Next.
On the Review page, review the Cost & Usage Report settings and select Review and Complete.
The report is created.
In the AWS console, select Services > Security, Identity, & Compliance > IAM.
Select Policies.
Select Create policy and then select the JSON tab.
Add the following JSON policy. Be sure to replace the bucketname
with the name of your bucket, for example, pyracloud.123456789012
. Replace any existing text already in the JSON window.
Select Review policy and complete the Review policy page as follows:
Under the Name heading, enter a name for the policy. The recommended value is PyraCloudAllowBillingBucketAccess.
(Optional) Enter a description.
Select Create policy.
Select Roles from the navigation menu.
Choose PyraCloudRole from the list of roles.
Select Attach policies.
Search for the policy created and then select the box next to it. Select Attach policy.
The policy is attached.
At this point, your AWS account is ready to be integrated with the Client Portal. SoftwareOne will need to perform internal steps to complete the integration.
In order to do this, you;ll need to provide the following details to SoftwareOne:
If you're taking advantage of AWS’ EDP you can view your commitment amounts in the Client Portal.
The portal displays your spending against your commitment so that you can track and plan for upcoming spend. To view your commitment amounts, contact our Support team.
Detail | Example Value |
---|---|
AWS Account Number
123456789012
AWS Organizations Enabled?
Yes
AWS Organizations Master Account?
Yes
CloudFormation Stack Name
PyraCloud-Onboarding
CloudFormation Region
Ireland (eu-west-1)
External ID
pyracloud:aws:extid:13kcy2czfja01dfx
Bucket Name
pyracloud.123456789012
Bucket Region
Ireland (eu-west-1)
Report Name
PyraCloudCostAndUsage
Report Path Prefix
PyraCloudCostAndUsage