Cloud Control: AWS Target Setup

Document created by thodoris77 Expert on Oct 10, 2016Last modified by Michael Nagar on May 20, 2020
Version 17Show Document
  • View in full screen mode

**This document is a part of the Cloud Control Setup Overview [Start Here] . Targeting Public Cloud providers requires a license key that includes the "Public Cloud" feature. If you are not able to add AWS, Azure or Softlayer with your current license please reach out to sales@turbonomic.com for more information.**

 

 

In order to connect Turbonomic to an AWS instance, follow the steps below:

 

  1. Create a user account (take note of the Access Key ID and the Secret Access Key)
  2. Assign the correct permissions
  3. Add the Target to Turbonomic


Create User Account

 

  1. Login into the AWS Service and select IAM (Identity and Access Management) from the Services menu
    aws1.png



  2. Click on Users and Create a new User Account.

  3. Enter the User name. Make sure that "Programmatic access" is checked.


 

Assign Permissions

 

1. On the Permissions section click "Attach existing policies directly"


 


2. In order for Turbonomic to be able to execute decisions in AWS, FullAccess is required. Optionally, you can choose to use ReadOnly credentials which will allow Turbonomic to monitor and recommend actions, but not be able to execute them.

 

To execute Turbonomic actions, the following permissions are required:

  • AmazonEC2FullAccess
  • AmazonS3ReadOnlyAccess
  • AmazonRDSFullAccess
  • AWSConfigRoleForOrganizations (only required for consolidated billing with the master account)

For least-privilege access (monitoring and recommendations), the following permissions are required:

  • AmazonEC2ReadOnlyAccess
  • AmazonS3ReadOnlyAccess
  • AmazonRDSReadOnlyAccess
  • AWSConfigRoleForOrganizations (only required for consolidated billing with the master account)

 

Note that the access to "AWSConfigRoleForOrganizations":

  • Is optional
  • The AWS target validation from Turbonomic will NOT be impacted if not enabled.

  • Enabling it would let Turbonomic show the “friendly account names” instead of the “account numbers” in the Top Account panel of the Cloud

 

 

 

 

3. Review the assigned permissions and select "Create user"

 

4. Take note of the Access Key ID and the Secret Access Key.
(copy and paste into a text document or download the .csv file)
This information will not be displayed again, so if you don't take note of it now, you will have to create a new Access Key.

 

 

 

Add the Target to Turbonomic

 

1. To add AWS targets, select Cloud Management > AWS on the Target Configuration page, and provide the following information:

 

• Address

=> The display name that will be used to identify the target in the Target List. This is for display in the UI only; it does not need to match any internal name.

• Access Key

=> Provide the Access Key for the account you want to manage.

• Secret Access Key

=> Provide the Access Key Secret for the account you want to manage.

• Proxy Host

=> The IP of your Proxy Host

• Proxy Port

=> The port required for the proxy above

• Cost and Usage Report Bucket

=> Name of the S3 bucket that contains the AWS Cost and Usage report.

• Cost and Usage Report Region

=> Region of the S3 bucket that contains the AWS Cost and Usage report.

• Cost and Usage Report Path

=> Path in the S3 bucket to the AWS Cost and Usage report.

• ARN Account ID

=> Shows the ARN that Turbonomic discovers for this target. You should never provide a value for this field.

 

NOTE: Turbonomic supports logging in to AWS targets via AWS Identity and Access Management (IAM) with IAM Users or IAM Roles. To enable using IAM Roles, you must run the Turbonomic software on an EC2 instance in the AWS cloud, and you must have the Turbonomic instance run as the IAM Role, and connect to the AWS target accounts with the appropriate IAM Role. To perform these actions, please contact Technical Support.

 

 

 

 

IMPORTANT NOTE: Please do not use self-created policy or imported group policy with FULL READ or FULL ACCESS for EC2, RDS and S3 because they do not have cloudwatch, elastic load balancing permissions  which AmazonEC2ReadOnlyAccess or AmazonEC2FullAccess has like shown below : 

 

AmazonEC2ReadOnlyAccess Policy

 

{
"Effect": "Allow",
"Action": "elasticloadbalancing:Describe*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"cloudwatch:ListMetrics",
"cloudwatch:GetMetricStatistics",
"cloudwatch:Describe*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "autoscaling:Describe*",
"Resource": "*"

13 people found this helpful

Attachments

    Outcomes