Set up IAM role based Data Collector access
The preferred way to access data is to set up an IAM role in each AWS account to be analysed, and to allow the Capacity Planner Data Collector to assume that role in order to collect data.
There are two ways in which you can set up the required access:
-
Using CloudFormations templates in the AWS portal. See Set up access with CloudFormation.
-
Using manual configuration. See Set up access manually.
Before starting, ask ITRS to supply you with the account number to be used by the DataCollectorAccess role. You will need this account number to allow access to the Data Collector.
Set up access with CloudFormation Copied
The DataCollectorAccess role allows the Data Collector on the estate to access the required data on your estate. Access can be controlled by deauthorising the role for the account, or by deleting it altogether.
The easiest way to configure AWS with the correct permissions for the Data Collector is to use CloudFormation in the AWS portal.
To set up the DataCollectorAccess role in a single account and region, follow these steps:
-
Save the below template as a
JSONfile and name it CloudFormation-DataCollectorAccessRole.json. You will use it when creating a new stack.{ "AWSTemplateFormatVersion": "2010-09-09", "Metadata": { "AWS::CloudFormation::Interface": { "ParameterGroups": [ { "Label": { "default": "IAM Role" }, "Parameters": [ "ExternalAccount", "ExternalId", "ExternalUser" ] } ] } }, "Parameters": { "ExternalId": { "Type": "String", "Description": "ITRS Data Collector External ID" }, "ExternalAccount": { "Type": "String", "Default": "111171302824", "Description": "ITRS Data Collector Account" }, "ExternalUser": { "Type": "String", "Default": "itrs-icpaas-dc", "Description": "ITRS Data Collector User" } }, "Resources": { "DataCollectorAccess": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": { "Fn::Sub": "arn:${AWS::Partition}:iam::${ExternalAccount}:user/${ExternalUser}" } }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "sts:ExternalId": { "Ref": "ExternalId" } } } } ] }, "Description": "ICPaaS Data Collector IAM account", "ManagedPolicyArns": [ "arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess", "arn:aws:iam::aws:policy/AWSCloudTrailReadOnlyAccess", "arn:aws:iam::aws:policy/AmazonRDSReadOnlyAccess", "arn:aws:iam::aws:policy/CloudWatchReadOnlyAccess", "arn:aws:iam::aws:policy/ComputeOptimizerReadOnlyAccess", "arn:aws:iam::aws:policy/AWSSavingsPlansReadOnlyAccess" ], "MaxSessionDuration": 3600, "Path": "/", "Policies": [ { "PolicyName": "CostExplorerReadAccess", "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ce:GetReservationUtilization", "ce:GetDimensionValues", "ce:GetCostAndUsage", "ce:GetTags" ], "Resource": "*" } ] } } ], "RoleName": "DataCollectorAccess" } } }, "Outputs": { "RoleArn": { "Description": "ARN of the DataCollectorAccess Role", "Value": { "Fn::GetAtt": [ "DataCollectorAccess", "Arn" ] } }, "RoleId": { "Description": "Id of the DataCollectorAccess Role", "Value": { "Fn::GetAtt": [ "DataCollectorAccess", "RoleId" ] } } } } -
Open the AWS Console for the account.
-
From the list of available services, select Management & Governance > CloudFormation.
-
Click Create stack. This will open the setup window where you can upload the template file.
-
Select the Template is ready in the Prerequisite - Prepare template section and Upload a template file in the Specify template section of the setup window.
-
Click Choose file and upload your saved
CloudFormation-DataCollectorAccessRole.jsonfile, and then click Next. -
Enter a name for the stack in order to identify it on the CloudFormations page of the AWS portal.
-
Provide values for ExternalAccount, ExternalId and ExternalUser.
-
Click Next and add tags. This is not mandatory but this can help you with ongoing management.
-
Select a preferred IAM role for managing the stack.
-
Click Next-Review, check that your setup is correct, and click Create Stack.
Note
The easiest way to deploy stacks across an organisation’s AWS accounts and regions is to use stack sets, however this requires setting up either self-managed or service-managed permissions across the organisation and needs to be decided at your organization’s discretion. For more information, see AWS official documentation. The stack template JSON script used for creating a single stack can also be used to create stack sets.
Set up access manually Copied
The steps below should be carried out for each AWS account that is to be analysed:
- Create a new permissions policy to allow access to the correct information. See Set up CostExplorerReadAccess policy.
- Create the role that the Data Collector will assume when collecting data. See, Set up DataCollectorAccess role.
Set up CostExplorerReadAccess policy Copied
The Data Collector requires a new permissions policy to access data. To set up the CostExplorerReadAccess policy, follow the steps:
- Open the AWS Console for the account.
- Go to IAM > Policies and click Create policy.
- Open the JSON tab.
- Copy the code into the text box:
{
"Version": "2012-10-17",
"Statement":
[
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action":
[
"ce:GetReservationUtilization",
"ce:GetDimensionValues",
"ce:GetCostAndUsage",
"ce:GetTags"
],
"Resource": "*"
}
]
}
- Name the policy CostExplorerReadAccess, and save.
Set up DataCollectorAccess role Copied
The DataCollectorAccess role allows the Data Collector on the estate to access the required data on your estate. Access can be controlled by deauthorising the role for the account, or by deleting it altogether.
If you are setting up the Data Collector access role for several accounts, the role name should be the same across all accounts.
To create the DataCollectorAccess role, follow the steps:
- Go to IAM > Roles and click Create role.
- Select Another AWS Account and for the Account ID, provide the ITRS account number.
- Under Options, select Require external ID, and enter a suitable external ID of your choice. Make a note of the external ID as you will need to provide it to ITRS .
Do not select Require MFA.
- Click Next: Permissions to assign permissions.
- In the Permissions window, assign the following permissions to the role by selecting the check boxes:
- AmazonEC2ReadOnlyAccess
- AmazonRDSReadOnlyAccess
- AWSCloudTrailReadOnlyAccess
- AWSSavingsPlansReadOnlyAccess
- CloudWatchReadOnlyAccess
- CostExplorerReadAccess
- Click Next and add tags. This is not mandatory but this can help you with ongoing management.
- Click Next-Review, check that your setup is correct, and click Create role.
- Name the role DataCollectorAccess, and save.
Note
You need to send the account number and external ID for the role to your ITRS representative in a secure way.