Add an AWS Commercial Account

Follow

A few notes about adding AWS commercial accounts:

  • You must create a project before you can attach AWS accounts to it. You can add AWS accounts to the account cache anytime.
  • Once an AWS account is attached/added, it will then be managed by cloudtamer.io, meaning the application will be able to perform actions inside the account.
  • You can either attach/add new AWS accounts, or you can have cloudtamer.io create an AWS account programmatically through the management AWS account. An administrator must enable account creation in the cloudtamer.io settings before you can create an account programmatically. You need to have the proper permissions to add an AWS account as well.
  • Prior to attaching/adding an AWS account, you must add its management account as a billing source so that cloudtamer.io can access the billing reports.
  • You can import all of your AWS commercial accounts at once, which makes this process much quicker. To do this, see the "Add Existing AWS Commercial Account(s) to the Account Cache" section below.
  • You can include spending from any linked GovCloud accounts in the financial reports for your AWS commercial accounts (without having cloudtamer.io manage the GovCloud account). See the Include Linked Spending From GovCloud Account fields in the sections below to include this spend data.

Add an Existing AWS Commercial Account from a Billing Source

You can add an AWS commercial account from a billing source directly. This process will automatically create the cloudtamer-service-role in the account, so you won't need to create it in your account manually. You can choose whether to add the account to the account cache or to a project.

To add an account from a billing source (management account):

  1. Click Accounts > Billing Sources in the left navigation menu.
  2. Click on the name of the desired billing source.
  3. Expand the Accounts not in cloudtamer.io section.
  4. Click on the ellipsis menu on the account item and then choose either Add account to cache or Add account to project.

AWS-Management-Account-1-_-Billing-Source-cloudtamer-io.png

The account will be available within a few minutes.

Attach an Existing AWS Commercial Account to a Project

You can also add an existing AWS commercial account to a cloudtamer.io project. You can choose whether to add the account from the cloudtamer.io account cache or to add an "external account" (i.e., one you created directly in the AWS console but haven't yet added to cloudtamer.io).

This process will require you to manually create the cloudtamer-service-role in the account in step 11. If you prefer a process that creates the service role automatically, expand the "Add an Existing AWS Account from a Billing Source" section above and follow the directions there.

To attach an existing AWS commercial account to a project:

  1. In the left navigation menu, click Projects > All Projects.
  2. Click the name of the project to go to its details screen.
  3. Click the Accounts tab.
  4. Click Add > Connect Existing Account. Select Connect From Account Cache if the account is already in the account cache. Otherwise, select Connect External Account. You can also go to Accounts > All Accounts and click Add New to get to this screen.
  5. In the Account Name field, enter a name for the account.
  6. In the Project drop-down menu, select the project with which you wish to associate the account. If you navigated here from a project page, this would be pre-selected.
  7. In the Start Date field, enter the start date for the account.
  8. In the Account Type field, select AWS Commercial.
  9. In the Billing Source field, select the AWS management account that manages the AWS account you want to add. This is how cloudtamer.io gets the billing reports.
  10. In the Account Number drop-down field, select the AWS account number of the account you want to attach to the project. This field provides account information that is already tied to the organization. Cloud accounts can be added to one and only one project.
  11. Once you click on the Account Number field, you'll receive a prompt to download the CloudFormation template. This template must be applied manually via CloudFormation in the AWS account prior to completing the remaining steps.
    • To learn how to manually apply a CloudFormation template, see the Add the cloudtamer.io Service Role article.
    • The template creates an AWS IAM role with a trust policy that allows the AWS account where cloudtamer.io is running to call sts:AssumeRole on cloudtamer-service-role.
    • If this CloudFormation or IAM role is removed from the AWS account, cloudtamer.io will not be able to manage the account anymore.
    • Name the CloudFormation stack cloudtamer-service-role and ensure you protect the role using IAM policies.
  12. Leave the Linked Role field as OrganizationAccountAccessRole unless you changed the organization role during initial AWS account creation.
  13. Place a check by Skip Account Access Checking if you don't want cloudtamer.io to verify the role is available. You will need to add in the role later if you want cloudtamer.io to access the account. This allows you to preload accounts without having access to them.
  14. Check off Include Spend From Linked GovCloud Account to include the spend data from a linked GovCloud account, if applicable. This lets you include the spend data for the linked GovCloud account in your commercial account's financial reports without adding the GovCloud account directly to cloudtamer.io. To leave out this spend data, leave this field unchecked.
  15. Place a check by Sync Account Information with AWS Organizations if you would like to keep the account name and account email updated with the name and email specified in AWS Organizations. You need to ensure the IAM role in the management account has access to Organizations for this to work properly.
  16. Click Connect.

Existing-Account-cloudtamer-io.png

Add Existing AWS Commercial Account(s) to the Account Cache

You can add existing AWS commercial accounts to the account cache without attaching them to a project, either ad hoc or via a bulk import.

If you're adding accounts ad hoc, this process will require you to manually create the cloudtamer-service-role in the account in step 8 (this does NOT apply if you are doing bulk import via the Import from AWS Organization option in step 3). If you prefer a process that creates the service role automatically for ad hoc account additions, expand the "Add an Existing AWS Account from a Billing Source" section above and follow the directions there.

To add AWS Commercial account(s) created outside of cloudtamer.io to the account cache:

  1. From the left navigation menu, navigate to Accounts > Account Cache (if you don't see Account Cache listed under Accounts, make sure the cache is enabled under Settings > System Settings > Account Creation Settings).
  2. Click the Add New button.
  3. Make a selection from the drop-down menu that displays:
    • Selecting Import From AWS Organization and clicking Continue will allow you to Select a Billing Source and click Import to import all accounts connected to that billing source (be sure Include Spend From Linked GovCloud and Commercial Accounts is checked if you wish to include linked accounts). This will automatically create the cloudtamer-service-role, so you won't need to create it in your accounts manually. If you choose this option, this is the final step in the process.
    • Selecting Connect an External Account and clicking Continue will allow you to connect a single account. Continue to step 4 below.
    • See the other sections of this article to learn about importing from AWS GovCloud, importing from Azure, or creating new accounts and resource groups.
  4. In the Account Name field, enter a name for the account.
  5. In the Account Type field, select AWS Commercial.
  6. In the Billing Source field, select the management AWS account that manages the AWS account you want to add. This is how cloudtamer.io gets the billing reports.
  7. In the Account Number drop-down field, select the AWS account number of the account to be added. This field provides account information that is already tied to the organization.
  8. Once you click on the Account Number field, you'll receive a prompt to download the CloudFormation template. This template must be applied manually via CloudFormation in the AWS account prior to completing the remaining steps.
    • To learn how to manually apply a CloudFormation template, see the Add the cloudtamer.io Service Role article.
    • The template creates an AWS IAM role with a trust policy that allows the AWS account where cloudtamer.io is running to call sts:AssumeRole on cloudtamer-service-role.
    • If this CloudFormation or IAM role is removed from the AWS account, cloudtamer.io will not be able to manage the account anymore.
    • Name the CloudFormation stack cloudtamer-service-role and ensure you protect the role using IAM policies.
  9. Leave the Linked Role field as OrganizationAccountAccessRole unless you changed the Organization role during the initial AWS account creation.
  10. Place a check by Skip Account Access Checking if you don't want cloudtamer.io to verify the role is available. You will need to add in the role later if you want cloudtamer.io to access the account. This allows you to preload accounts without having access to them.
  11. Check off Include Spend From Linked GovCloud Account to include the spend data from a linked GovCloud account, if applicable. This lets you include the spend data for the linked GovCloud account in your commercial account's financial reports without adding the GovCloud account directly to cloudtamer.io. To leave out this spend data, leave this field unchecked.
  12. Click Connect.

Add-Existing-Account.png

Add a New AWS Commercial Account to the Account Cache

You can create a brand new AWS account within cloudtamer.io using the Organizations API and add it to the account cache. This will automatically create the cloudtamer-service-role, so you won't need to create it in your accounts manually.

To add a brand new AWS commercial account to the account cache:

  1. From the left navigation menu, navigate to Accounts > Account Cache (if you don't see Account Cache listed under Accounts, make sure the cache is enabled under Settings > System Settings > Account Creation Settings).
  2. Click the Add New.
  3. Select Create a New AWS Account and click Continue.
  4. In the Account Name field, enter a name for the account.
  5. In the Billing Source field, select the AWS management account that manages the AWS account you want to add. This is how cloudtamer.io gets the billing reports.
  6.  Version 2.27.0 and higher: Place a check by Add to AWS Organization Unit to add this account to an AWS OU within AWS Organizations. This won't affect the account's placement within cloudtamer.io OUs.
    • If you check this box, you'll have the option to Add to Existing OU or Create New OU. Make your selection, then select the existing AWS OU or enter a name for the new AWS OU.
  7. Enter a different name for the Linked Role if necessary. Otherwise, leave this name as the default.
  8. Place a check by Skip Account Access Checking if you don't want cloudtamer.io to verify the role is available. You will need to add in the role later if you want cloudtamer.io to access the account. This allows you to preload accounts without having access to them.
  9. If you've turned on programmatic creation of GovCloud accounts, you'll see a Create and Link GovCloud Account option. Leave this unchecked if there is no associated GovCloud account, otherwise, check the box to create and link the GovCloud account as well.
  10. Check off Include Spend From Linked GovCloud Account to include the spend data from a linked GovCloud account, if applicable. This lets you include the spend data for the linked GovCloud account in your commercial account's financial reports without adding the GovCloud account directly to cloudtamer.io. To leave out this spend data, leave this field unchecked.
  11. Click Create.

New-Cached-Account.png

Was this article helpful?
0 out of 0 found this helpful