With the release of our new Turbonomic SaaS offering we've modified the steps to target AWS accounts using IAM Roles. Below is a summary as well as step by step instructions. The Identity Provider and IAM Role need to be created in every AWS account you would like to add as a target to Turbonomic.
Before you proceed, please ensure to obtain the Service Account number from Turbonomic Support, which is required for step 1.5.
Step by Step Instructions:
Step 1: Create an IAM Role
- Access the AWS Identity and Access Management (IAM) console and navigate to the Roles option on the left menu.
- Select Create Role
- When asked to select the type of trusted entity, select Web Identity
- On the Identity provider pulldown, select the Google provider that you just created
- In the Audience field, enter the service account number obtained from Turbonomic: for example 11223344556677889900
- Click Next
- Add the following policies:
- AmazonEC2ReadOnlyAccess (Use EC2FullAccess for action automation)
- AmazonRDSReadOnlyAccess (Use RDSFullAccess for future action automation, currently not supported)
- AmazonS3ReadOnlyAccess (only required in Master (payer) account for accessing the cost and usage report)
- Click Next: Tags
- Add Tags if required by your organizational IT policies, otherwise, just click Next: Review
- On the Review screen, enter the Role Name: TurbonomicSaaSRole
- Enter a Role Description. For example, Role to allow the Turbonomic SaaS service access to this account.
- Select the Create button
- On the list of roles, find the TurbonomicSaaSRole you just created and click the name of the role
Step 2: Obtain the Role ARN
- Select the Role you just created (i.e. TurbonomicSaaSRole)
- Copy the Role ARN (top of the screen), you will need it to add the AWS target in Turbonomic
Step 3: Add Target in Turbonomic
- Log in to the Turbonomic SaaS console
- Navigate to Settings > Target Configuration
- Click the New Target button
- Select Cloud Management
- Select AWS
- On the Add AWS Target screen enter the following:
Address: enter any text string you would like to identify the account being targeted
IAM Role ARN: Paste the Role ARN you copied in step 2.2
Cost and usage report fields: Enter this information, if configured in this account (see this article for more details). This should only be added for your Master (payer) account.
- Click the Add button
- Confirm the new target is added with a successful result