IBM Cloudability

Cloudability

A place for Cloudability product users to learn, connect, share and grow together.

 View Only
Back to Library

Bulk credentialing AWS linked accounts for Cloudability 

Thu January 25, 2024 12:53 PM

Recently we made an update to Cloudability that can help AWS customers quickly credential their AWS-linked accounts. While credentialling linked accounts isn’t required for ingesting billing data, it is required for other features such as rightsizing (to allow Cloudability to ingest util data). Cloudability now takes advantage of AWS organizationsinheritance model This enables customers to attach the required Cloudability role at the organization root or OU level and have the permissions flow down to all the applicable linked accounts. 

Prior to this release, Customers using the Cloudability UI needed to create the role on each linked account by downloading a Cloud Formation Template (CFT) and executing it individually on every linked account. While customers can still use this approach for individual accounts, they can also use the bulk credentialling to streamline processes. 

 

Enable Bulk Credentialing on Cloudability for New Payer Accounts 

Pre requisite You are using AWS Organizations to manage these accounts and have attached accounts to required OUs.

 

Initial Steps Required in Cloudability 

In Cloudability, while credentialing the master payer account customers need to check the enable the “Automated credentialing of linked accounts”.  

A screenshot of a computer Description automatically generated 

Once the master payer is credentialled and the linked accounts are appearing in the Cloudability credentials page, customers need to download the Cloud formation Template from one of the linked accounts. To do this click the edit icon next to any linked account, click save, then click download (this template file will be used in the next stage). 

 

Steps Required in AWS Console 

In the section you’ll be creating an CloudFormation StackSet which will instantiate the IAM role across linked accounts. 

  • Within the AWS console navigate to the CloudFormation service 
  • Click on StackSets  --> create StackSet 
  • On the “Choose Template” page select Upload a template file -> choose the template file you just downloaded - > select next
  • On the “Specify StackSet details” page enter StackSet name and description as desired. All other details (such as the CloudabilityRole_OU name and external ID) come from the template and can be left as is. Select next.
  • In the Set deployment options page choose either Deploy to organization, if you want to deploy the role to all accounts under the master payer, or Deploy to organizational units (OUs) if for a subset and enter the relevant AWS OU ID.
  • Choose any other preferences, such as regions and orchestration details, and click submit. This will create the StackSet and IAM roles within each linked account. 

 

Final steps required in Cloudability 

  • The user needs to verify each of the relevant linked accounts by clicking on Save button on each linked account followed by verify credentials. 
  • A green check mark indicates that the process has been successful. 

 

Enable Bulk Credentialing on Cloudability for Existing Payer Accounts  

 

Existing customers implies that you already have a few accounts credentialed in Cloudability and want to add more accounts in automated way. 

Pre requisite - Customers would need to add their linked accounts (Existing + New) under AWS organisation in the AWS console. 

Steps Required in Cloudability 

  • On Cloudability, while credentialing the AWS Master Payer accounts customers would need to check the enable the “Automated credentialing of linked accounts” checkbox while credentialing.  
  • Customer has to download the Cloud formation script from one of the linked accounts be it new or existing 

 

Steps Required in AWS Console 

  •  Within the AWS console navigate to the CloudFormation service 
  • Click on StackSets  --> create StackSet  
  • On the “Choose Template” page select Upload a template file -> choose the template file you just downloaded - > select next 
  • On the “Specify StackSet details” page enter StackSet name and description as desired. All other details (such as the CloudabilityRole_OU name and external ID) come from the template and can be left as is. Select next. 
  • In the “Set deployment options page choose either Deploy to organization, if you want to deploy the role to all accounts under the master payer, or Deploy to organizational units (OUs) if for a subset and enter the relevant AWS OU ID. 
  • Choose any other preferences, such as regions and orchestration details, and click submit. This will create the StackSet and IAM roles within each linked account. 

Note – For existing linked accounts you would already have a few accounts with the CloudabilityRole, this role can be removed if the accounts are part of the OU where the stackset was run. A new role CloudabilityRole_OU would be applied to these accounts. 

 

Steps required in Cloudability 

  • Click on the edit button for the linked account 
  •  Verify each of the linked accounts by clicking on save button against each linked account followed by verify credentials. 
  • A green tick mark indicates that the process is successful. 

#Cloudability

Statistics
0 Favorited
21 Views
0 Files
0 Shares
0 Downloads

Comments

Priyanshu Kakkar
Thu February 29, 2024 09:55 AM

Thanks for the feedback, Good to see its bringing value to our customers and users.

We understand that the UI automation will complete this process and truly give full automation capabilities, its on the roadmap but not immediately.


#Cloudability

Maxime Audet
Thu February 29, 2024 09:23 AM

I'm love this feature, it will definitely save a lot of time.

Is it possible, and if so, is it on the roadmap, to automate the process of updating each child account in Cloudabilty without having to manually edit and save each one?


#Cloudability

Richard Kellogg
Thu February 22, 2024 03:15 PM

Love the new functionality.  I don't see any option in the user interface to enable this on existing AWS Master Payer accounts.  

Any chance of providing a Terraform module which can be used in place of CloudFormation?


#Cloudability