Add an AWS GovCloud Account

Follow

 Page Navigation

This article shows you how to add AWS GovCloud accounts. Click a link below to jump to the section:

Looking to add an AWS commercial account? See the Add an AWS Commercial Account article.

A few notes about adding AWS GovCloud accounts:

  • Using the methods on this page to add/attach GovCloud accounts means they will be managed by cloudtamer.io, and the application will be able to perform actions inside the accounts. If you just want to include GovCloud spending in your financial reports for your AWS commercial account (without having cloudtamer.io manage the GovCloud account), see the Add an AWS Commercial Account article.
  • cloudtamer.io uses partition keys to access GovCloud. When connecting a GovCloud account:
    • Your commercial management account needs to have a GovCloud management account linked to it.
    • Your management account needs to have permissions to create GovCloud accounts (this is a different permission than normal account creation permissions).
  • To programmatically create AWS GovCloud accounts, you'll also need to follow the steps in the Enable Programmatic AWS GovCloud Account Creation article.
  • You can import all of your AWS GovCloud accounts at once, which makes this process much quicker. To do this, see the "Add Existing AWS GovCloud Account(s) to the Account Cache" section below.

Attach an Existing AWS GovCloud Account to a Project

To attach an existing AWS GovCloud account to a project:

  1. In the left navigation menu, click Projects > All Projects.
  2. Click the name of the project to go to its details screen.
  3. Click the Accounts tab.
  4. Click Add > Connect Existing Account. Select Connect From Account Cache if the account is already in the account cache. Otherwise, select Connect From External Account. You can also go to Accounts > All Accounts and click Add New.
  5. Enter a name for the account in the Account Name field.
  6. In the Project drop-down menu select the project you want to associate the account with. If you navigated here from a project page, this will be pre-selected.
  7. In the Start Date field, enter the start date for the account.
  8. In the Account Type field, select AWS GovCloud.
  9. In the Billing Source field, select the management account that manages the AWS account you want to add. This is how cloudtamer.io gets the billing reports properly for the AWS account.
  10. In the Account Number field, add the AWS account number of the GovCloud account.
  11. Once you click on the Account Number field, you'll receive a prompt to download the CloudFormation template. This template must be applied manually via CloudFormation in the AWS account prior to completing the remaining steps. This CloudFormation template creates an AWS IAM role with a trust policy that allows the AWS account where cloudtamer.io is running to call sts:AssumeRole on cloudtamer-service-role. If this CloudFormation or IAM role is removed from the AWS account, cloudtamer.io will not be able to manage the account anymore. Ensure you protect the role using IAM policies.
  12. In the Linked Commercial Account Number field, add the AWS account number for the commercial account to which the GovCloud account is linked.
  13. Once the CloudFormation finishes, generate an IAM access key and use this in the steps below. cloudtamer.io will rotate the keys automatically every seven days.
  14. Leave the Linked Role field as OrganizationAccountAccessRole unless you changed the Organization role during the initial AWS account creation.
  15. Place a check by Skip Account Access Checking if you don't want cloudtamer.io to verify the role is available. You will need to add in the role later if you want cloudtamer.io to access the account. This allows you to preload accounts without having access to them.
  16. Check off Include Spend From Linked Commercial Account to include the spend data from the linked commercial accounts in financial reports for this account.
  17. Place a check by Sync Account Information with AWS Organizations if you would like to keep the account name and account email updated with the name and email specified in AWS Organizations. You need to ensure the IAM role in the management account has access to Organizations for this to work properly.
  18. Click Connect.

Existing-Account-cloudtamer-io__2_.png

Add Existing AWS GovCloud Account(s) to the Account Cache

To add AWS GovCloud account(s) created outside of cloudtamer.io to the account cache:

  1. From the left navigation menu, navigate to Accounts > Account Cache (if you don't see Account Cache listed under Accounts, make sure the cache is enabled under Settings > System Settings > Account Creation Settings).
  2. Click the Add New button.
  3. Make a selection from the drop-down menu that displays:
    • Selecting Import From AWS GovCloud Organization and clicking Continue will allow you to Select a Billing Source and click Import to import all accounts connected to that billing source (be sure Include Spend From Linked Commercial Accounts is checked to include the spend data from the linked commercial accounts in financial reports).
    • Selecting Connect an External Account and clicking Continue will allow you to connect a single account. Continue to step 4 below.
  4. In the Account Name field, enter a name for the account.
  5. In the Account Type field, select AWS GovCloud.
  6. In the Billing Source field, select the management account that manages the AWS account you want to add. This is how cloudtamer.io gets the billing reports properly for the AWS account.
  7. In the Account Number field, enter the AWS account number for the GovCloud account.
  8. Once you enter the Account Number, you'll receive a prompt to download the CloudFormation template. This template must be applied manually via CloudFormation in the AWS account prior to completing the remaining steps. This CloudFormation template creates an AWS IAM role with a trust policy that allows the AWS account where cloudtamer.io is running to call sts:AssumeRole on cloudtamer-service-role. If this CloudFormation or IAM role is removed from the AWS account, cloudtamer.io will not be able to manage the account anymore. Ensure you protect the role using IAM policies.
  9. In the Linked Commercial Account Number field, add the AWS account number for the commercial account to which the GovCloud account is linked.
  10. Leave the Linked Role field as OrganizationAccountAccessRole unless you changed the Organization role during the initial AWS account creation.
  11. Place a check by Skip Account Access Checking if you don't want cloudtamer.io to verify the role is available. You will need to add in the role later if you want cloudtamer.io to access the account. This allows you to preload accounts without having access to them.
  12. Check off Include Spend From Linked Commercial Account to include the spend data from the linked commercial account in financial reports for this account.
  13. Click Connect.

Add-Existing-Account__1_.png

Add a New AWS GovCloud Account to the Account Cache

To create a new AWS GovCloud account using the Organizations API and add it to the account cache:

  1. From the left navigation menu, click Accounts > Account Cache (if you don't see Account Cache listed under Accounts, make sure the cache is enabled under Settings > System Settings > Account Creation Settings).
  2. Click the Add New button.
  3. Select Create a New AWS Account and click Continue.
  4. In the Account Name field, enter a name for the account.
  5. In the Billing Source field, select the management account that manages the AWS account you want to add. This is how cloudtamer.io gets the billing reports properly for the AWS account.
  6.  Version 2.27.0 and higher: Place a check by Add to AWS Organization Unit (coming soon!) to add this account to an AWS OU within AWS Organizations. This won't affect the account's placement within cloudtamer.io OUs.
    • If you check this box, you'll have the option to Add to Existing OU or Create New OU. Make your selection, then select the existing AWS OU or enter a name for the new AWS OU.
  7. Enter a different name for the Linked Role if necessary. Otherwise, leave this name as the default.
  8. Place a check by Skip Account Access Checking if you don't want cloudtamer.io to verify the role is available. You will need to add in the role later if you want cloudtamer.io to access the account. This allows you to preload accounts without having access to them.
  9. Ensure Create and Link GovCloud Account is checked to create your new GovCloud account.
  10. The Include Spend From Linked Commercial Account checkbox allows you to create a commercial account along with the GovCloud account and track its spending separately. Check this box if you wish to create/include spend from a commercial account as well. 
  11. Click Create.

CreateGovCloudAcctToCache.png

Was this article helpful?
0 out of 0 found this helpful