Configuring Amazon Web Services accounts

Last updated 26 October, 2018

About Amazon Web Services accounts

  Download HPE policy json files for AWS  (File updated 17 Oct 2018)

How do I find this information?

To find your Amazon account information, log in to your Amazon Web Services EC2 account. In the upper right corner, click My Account or the HPE OneSphere payer account name, then select Security Credentials.

  • Access Key ID

    The 20 alphanumeric character ID is displayed under Access Keys.

  • Secret Access Key

    If you don't know your Secret Access Key, you can make inactive or delete your existing Access Key ID and create a new Access Key. When you create a new Access Key, the 40 alphanumeric character ID is displayed under Access Keys and is available for download in a .csv file.

  • S3 Cost Bucket Name

    To find the cost bucket name, open the AWS S3 console. Existing buckets are displayed under Bucket Name.

Identity and Access Management (IAM) user accounts

HPE OneSphere interacts with AWS through IAM user accounts. The IAM user accounts must be configured in AWS with specific privileges that enable management of those accounts by HPE OneSphere.

See Access Management and Managing the AWS accounts in your organization in the AWS documentation.

HPE OneSphere account Relationship AWS IAM account
AWS public billing account connects to AWS payer/master account and AWS standalone account
AWS public account connects to AWS member account
  • Create or modify an AWS payer/master account that HPE OneSphere uses for the collection of billing data. You will enter the credentials for this account on the HPE OneSphere Public Billing Accounts screen.

    You cannot connect an AWS root account to HPE OneSphere.

  • Create or modify an AWS member account that HPE OneSphere uses to deploy virtual machines and containers to AWS. You will enter the credentials for this account on the HPE OneSphere Public Accounts screen.

You can connect the following types of AWS accounts in HPE OneSphere.

AWS account types

Organization accounts

  • Payer/Master accounts with member accounts

    A payer account is an account that pays for itself, and may also be a master account with children (member) accounts.

    A payer account that is not also a master account has no managed deployments nor any enabled regions. A payer account is connected to HPE OneSphere only for the centralization of billing information.

    A payer account has permissions granted by the HPE OneSphere service control policy for payer accounts policy that allows HPE OneSphere to:

    • Get billing data from an S3 cost bucket

    • List member accounts in the organization

  • Member accounts

    A member account has permissions granted by HPE OneSphere service control policies for managed accounts files that allow HPE OneSphere to obtain information about deployments and to perform other optional actions.

Non-organization accounts

IAM policy files

An AWS IAM policy determines which services and actions can be delegated by administrators to the users and roles in the accounts to which the policy is applied. A policy does not grant any permissions to a user account.

Account type HPE OneSphere policies to apply

Payer/Master

hpe-payer-account-policy.json

hpe-managed-account-policy.*.json*

Member

hpe-managed-account-policy.*.json

Standalone

hpe-payer-account-policy.json

hpe-managed-account-policy.*.json

*Required if the payer account is also a master account (with or without managed accounts) with enabled regions in HPE OneSphere and with managed deployments.

After you configure accounts in AWS:

  • For a Payer/Master account:

    • Import and attach the HPE OneSphere payer .json policy file to the IAM user identity in AWS.

    • If the payer account is also a master account (with or without managed accounts) with enabled regions in HPE OneSphere and with managed deployments, import and attach HPE OneSphere managed .json policy files to the IAM user identity in AWS.

  • For a Member account: Import and attach the HPE OneSphere managed .json policy files to the IAM user identity in AWS.

  • For a Standalone account: Import and attach the HPE OneSpherepayer and managed .json policy files to the IAM user identity in AWS.

 

Setting up an AWS payer account

  Download HPE policy json files for AWS  (File updated 17 Oct 2018)

Before you connect HPE OneSphere to AWS by adding a public billing account, you must configure a master or standalone account in AWS for use with HPE OneSphere.

In the EC2 URLs in the following procedure, change the region from us-east-2 to the region appropriate for your environment, which is typically close to your geographic region.

Prerequisites

The administrator created a master account (for organization accounts) or a payer account (for standalone accounts) in Amazon Web Services EC2.

Procedure
  1. Log in to the Amazon EC2 console using your AWS master/payer account credentials.
  2. On the AWS S3 screen, create an AWS Simple Storage Service (S3) cost bucket to be used as a receptacle for billing reports. Note the cost bucket name for later use.
  3. On the AWS Users screen, add an IAM user account for the collection of billing data.

    For access type, select Programmatic access.

    If you plan to connect an existing user account to HPE OneSphere, continue to step 4.

  4. Download HPE-policy-json-files-for-AWS.zip from the link at the top of this page, and extract the files to your PC or staging server.
  5. Import the IAM user policy hpe-payer-account-policy.json file to the IAM user account.

    HPE OneSphere action Policy file to attach to payer and master accounts Required or Optional Edit file before attaching?
    Get billing data from an S3 cost bucket and information about member accounts hpe-payer-account-policy.json Required Yes

    From the AWS S3 console, click the bucket name, then the Permissions tab, then Bucket Policy.

    1. Edit the file hpe-payer-account-policy.json in an editor and replace <REPLACE_WITH_COST_BUCKET> with the name of your S3 cost bucket, replace <ACCOUNT_NUMBER> with the user's account number, and replace <USER_NAME> with the name of the user account.
    2. If you are not still logged in, log in to the Amazon EC2 console using your AWS payer account credentials.
    3. Go to the AWS IAM console.
    4. In the left navigation, select Policies.
    5. At the top of the screen, click Create Policy.
    6. Click the JSON tab.
    7. Paste the edited contents of hpe-payer-account-policy.json into the text box.
    8. Click Review policy and correct any formatting errors.
    9. Add the name hpe-payer-account-policy and an optional description.
    10. Click Create policy.
    11. At the top of the policy list, type hpe into the search box.
    12. Select hpe-payer-account-policy.
    13. From the Policy actions drop-down menu, select Attach.
    14. Select the IAM user account created in step 3, or an existing user account.
    15. Click Attach policy.
  6. On the AWS Preferences screen, turn on detailed billing reports for the account you created in step 3.
    1. Check Receive Billing Reports.
    2. Click the Sample Policy link and copy the policy to the S3 cost bucket created in step 2.
    3. Enter the S3 cost bucket created in step 2 and click Verify.
    4. Select (at a minimum) Monthly report and Detailed billing report with resources and tags.
    5. In the list of reports to receive, select both Monthly report and Detailed billing report with services and tags.

For more information, see the following topics in the AWS documentation:

Setting up an AWS member account

  Download HPE policy json files for AWS  (File updated 17 Oct 2018)

Before you connect HPE OneSphere to AWS by adding a public account, you must configure a member account in AWS for use with HPE OneSphere.

NOTE:

For standalone (non-organization) accounts, configure the accounts to import and attach both the HPE OneSphere payer and managed .json policy files.

In the EC2 URLs in the following procedure, change the region from us-east-2 to the region appropriate for your environment, which is typically close to your geographic region.

Prerequisites

The administrator created a master account (for organization accounts) or a payer account (for standalone accounts) in Amazon Web Services EC2.

Procedure
  1. Log in to the Amazon EC2 console using your AWS account credentials.
  2. On the AWS Users screen, add an AWS user account.

    For access type, select Programmatic access.

    If you plan to connect an existing user account to HPE OneSphere, continue to step 3.

  3. If you previously imported and attached the hpe-managed-account-policy.json file:
    1. In Filter policies, type hpe.
    2. Select the hpe-managed-account-policy.json file.
    3. From the Policy actions drop-down menu, select Detach.
  4. Import the IAM user policy hpe-managed-account-policy.*.json files to the AWS user account. These policy files are included in the HPE-policy-json-files-for-AWS.zip.

    NOTE:

    Each policy file includes the permissions required in AWS to allow HPE OneSphere to perform a particular action. Attach all of the policy files, even if you do not plan to use the features enabled by the policy file.

    HPE OneSphere action Policy file to attach to member and standalone accounts Required or Optional Edit file before attaching?
    Obtain information about deployments hpe-managed-account-policy.insights.json Required Yes
    Deploy virtual machines and applications to AWS EC2 hpe-managed-account-policy.vmvending.json Required No
    Deploy Kubernetes clusters to AWS hpe-managed-account-policy.k8s.json Required No
    Deploy CloudFormation and ECR images to AWS hpe-managed-account-policy.catalog.json Required No
    Check AWS service compliance hpe-managed-account-policy.compliance.json Required No
    Discover resources in AWS hpe-managed-account-policy-alpha.discovery.json Required No
    1. Edit the file hpe-managed-account-policy.insights.json in an editor and replace <ACCOUNT_NUMBER> with the user's account number, and replace <USER_NAME> with the name of the user account.
    2. If you are not still logged in, log in to the Amazon EC2 console using your AWS member account credentials.
    3. Go to the AWS IAM console.
    4. In the left navigation, select Policies.
    5. At the top of the screen, click Create Policy.
    6. Click the JSON tab.
    7. Paste the edited contents of hpe-managed-account-policy.insights.json into the text box.
    8. Click Review policy and correct any formatting errors.
    9. Add the name hpe-managed-account-policy.insights.json and an optional description.
    10. Click Create policy.
    11. At the top of the policy list, type hpe into the search box.
    12. Select hpe-managed-account-policy.insights.json.
    13. From the Policy actions drop-down menu, select Attach.
    14. Select the IAM user account created in step 2, or an existing user account.
    15. Click Attach policy.
  5. For the next policy file included in the zip file:
    1. At the top of the screen, click Create Policy.
    2. Click the JSON tab.
    3. Paste the contents of the policy file into the text box.
    4. Click Review policy and correct any formatting errors.
    5. Add the name of the policy file and an optional description.
    6. Click Create policy.
    7. At the top of the policy list, type hpe into the search box.
    8. Select the policy file you created.
    9. From the Policy actions drop-down menu, select Attach.
    10. Select the IAM user account created in step 2, or an existing user account.
    11. Click Attach policy.
  6. Repeat step 5 for the remaining policy files.

Next step: See Managing AWS public cloud accounts to create corresponding billing and public accounts in HPE OneSphere that will connect to your AWS accounts.