- Login to the totalcloud app using your totalcloud user credentials. - - Click ‘Live’ button to configure your AWS account (If you have already configured your AWS account then you won’t be able to view this screen)
You can also change your configurations at a later stage.
For Cross Account Access
- Select Cross Account Access
- Enter the ARN(mandatory) and S3 billing bucket(if needed)
- Click on SAVE
For Key Based Access
- Select Key Based Access.
- Enter Access Key, Secret Key and S3 billing bucket(if needed).
- Click on SAVE
Refer the below section to create an ARN and S3 billing bucket. If you have already created S3 billing bucket, please specify the same name.
How to create a cross account role in AWS console?
- Login into your AWS console
- Select Services -> IAM -> Roles in AWS user console
- Click Create new role
- Select Role for cross-account access
- Select Provide access between your AWS account and a 3rd party AWS accont
- Copy the External ID and Account ID from totalcloud's user configuration page
- No need to enable Require MFA
- Search for ReadOnlyAccess in the search bar, select and press next.
ReadOnlyAccess policy provides totalcloud the read access to all your resources. With this policy, totalcloud will not be able to make any changes to your current infrastructure.
ReadOnlyAccess policy will enable Monitoring, Cost Analyzer(if S3 billing bucket is configured), Insights and Security compliance features of totalcloud. Automation and Operations will require additional permissions(optional).
Please check below for configuring policy for automation and operations
- Set the Role name, description and click Create role
How to configure policy for Operations and Automation features?
- Select Services-> IAM-> Policies in AWS console
- Click Create policy
You can either use totalcloud's recommended policy as defined below
Select Policy Generator to create your own policy by selecting Service and Actions based on your requirement. This option allows user to control the actions that are allowed for each of the resources.
Note: If relevent permissions for resources are not enabled then corresponding operations will not be supported by the tool.
- Select Create Your Own Policy as shown in previous step
- Paste either the totalcloud's recommended Policy or Custom policy generated using policy generator in the previous step in policy document section and click Create Policy
- Select IAM -> Roles -> Totalcloud (select the new role created as defined in step 5 above)
- Click Attach Policy
- Select the newly created policy based on your naming
- Click Attach Policy
You should be able to see two policies attached to the role post the above step.
2. Newly created custom policy.
How to Configure S3 billing bucket in AWS Console?
- Select Services-> S3-> Create Bucket
- Provide name and relevant details to configure your bucket
- Select Your Account -> My billing Dashboard
- Select Preferences
- Enable Receive Billing Reports
- Type your newly created billing bucket name. Before verifying, copy the sample policy and paste it in billing permissions as shown in next step
- Select Services- > S3
- Select Billing bucket -> Permissions-> Bucket Policy
- Paste the sample policy copied in the previous step and save.
- Once you save, click the verify button as shown in the step 3
- Copy the same billing bucket name to user profile configuration as shown in Login step
Common issues while configuring user
Account Number & External Id are wrongly configured
- Go to IAM->Roles -> "Newly created role" -> Trush Relationships.
- Check if both Account Number & ExternalID are same or not as in user profile configuration form in the totalcloud App.
ARN in totalcloud app does not match with newly created role ARN
- Go to IAM->Roles->"Newly created role" in AWS console.
- Check if the ARN in the AWS console is same in totalcloud's user configuration form.
Access Key and Secret Key are not correct
- Go to IAM->Users->"Newly created user"-> Security Credentials.
- Check if the access key and secret key are same as in user configuration window in totalcloud app.
Note: Cross account access method has precedence over key based access when both details are entered in the user configuration form in Totalcloud application