AWS

Introduces how to get the configuration parameters that need to be used in the OneCloud platform on AWS.

How to get Access key for AWS?

  1. Log in to the AWS Management Console using the AWS master account (or a sub-account with Administrator Access administrative privileges) and click the “IAM” menu item to enter the IAM Dashboard page.

  2. Click the “Users” menu item on the left menu bar to enter the user management list, and click the username name item to enter the specified user details page. Note that you need to select a user with sufficient administrative privileges.

  3. Click on the “Security credentials” tab.

  4. Click the “Create Access Key” button, and you can see the key information, i.e. Access Key ID, Access Key Secret, in the pop-up Create Access Key dialog box.

AWS account permission requirements

Feature Read-only permissions Read-write permissions
All Features ReadOnlyAccess AdministratorAccess
VM Instance, Security groups, Images, Snapshots, Disks AmazonEC2ReadOnlyAccess AmazonEC2FullAccess
Project - -
Vpc, Vpc Peering, Routing Table, NAT, Elastic NIC,EIP, NAT AmazonVPCReadOnlyAccess AmazonVPCFullAccess
OSS AmazonS3ReadOnlyAccess AmazonS3FullAccess
LB Instance ElasticLoadBalancingReadOnly ElasticLoadBalancingFullAccess
RDS AmazonRDSReadOnlyAccess AmazonRDSFullAccess
Redis AmazonElastiCacheReadOnlyAccess AmazonElastiCacheFullAccess
Log AWSCloudTrailReadOnlyAccess AWSCloudTrail_FullAccess
NAS AmazonElasticFileSystemReadOnlyAccess AmazonElasticFileSystemFullAccess
WAF AWSWAFReadOnlyAccess AWSWAFFullAccess
IAM IAMReadOnlyAccess IAMFullAccess
DNS AmazonRoute53DomainsReadOnlyAccess AmazonRoute53DomainsFullAccess
Billing AWSBillingReadOnlyAccess Cost Management Contributor
Monitoring CloudWatchReadOnlyAccess CloudWatchFullAccess

How do I get the Expense S3 Bucket URLs and file prefixes in the AWS platform?

New Version

AWS accounts created after the 07/08/2019 must use this method to configure and obtain the URL and file prefix for the S3 bucket.

  1. Sign in to the AWS Management Console using the AWS master account and click the drop-down menu “My Billing Dashboard” menu item in the upper right corner of [username] to access the Billing and Cost Management Dashboard page.

  2. Click “Cost & Usage Reoports” on the left menu, and on the AWS Cost and Usage Reports page, click the “Create Report” button to enter the Create Report page.

  3. Configure the report name, check “Include resource IDs”, and click “Next” button to enter the Delivery Options page.

  4. Configure S3 storage buckets to support selecting existing buckets or creating new ones.

  5. Configure the report path prefix, choose “Hourly” for the time granularity, “Create new report version” for the report version, and “ZIP” for the compression type, and click the " Next" button to enter the audit page.

  6. After confirming that the configuration is correct, record the S3 storage bucket and report path prefix in the red box, and click the “Review and Complete” button to complete the configuration and create the report.

  7. View the overview information of any billing file in the corresponding storage bucket in the S3 storage management page of the AWS console and record the object URL, the storage bucket URL is the URL with the file name removed from the back, as shown in the red box.

  8. The file prefix is the report path prefix in the red box in step 6.

Old Version

  1. Sign in to the AWS Management Console using the AWS master account and click the drop-down menu “My Billing Dashboard” menu item in the upper right corner of [username] to access the Billing and Cost Management Dashboard page.

  2. Click “Billing Preferences” on the left menu, and check and record the S3 oss bucket for “Receive Billing Reports” in “Cost Management Preferences” on the Preferences page you entered. If not configured, you need to check “Receive Billing Reports” and configure the S3 bucket and verify it, after the setting is completed, the incremental billing data will be stored to the corresponding S3 according to the set granularity. It is recommended that only billing files are stored in this bucket.

  3. View the overview information of any billing file in the corresponding oss bucket in the S3 storage management page of AWS console, and record the object URL, the oss bucket URL is the URL with the file name removed from the back, as shown in the red box.

  4. The AWS file prefix is the AWS account ID.

  1. The AWS file prefix is the AWS account ID.

How to manage AWS Organizations accounts?

  1. Configure AWS Organizations: Use AWS organization account to associate AWS accounts, support creating new AWS accounts and inviting existing AWS accounts; the invited AWS accounts need to have “OrganizationAccountAccessRole” on them. The invited AWS account needs to have the “OrganizationAccountAccessRole” role. 2.
  2. How to get Access Key for AWS: Create the access key for the IAM user of the administrative account on the AWS organization account; it is recommended to use a user with AdministratorAccess privileges.

Configure AWS Organizations

  1. Log in to the AWS Management Console using the AWS Root user (or a IAM user with AdministratorAccess privileges) and click the drop-down menu “My Organizations” to go to the AWS Organizations page.

  2. On the AWS Organizations - AWS Accounts page, add an AWS account. Two ways of adding AWS accounts to Organizations are currently supported.

    • Create AWS account: Set the AWS account name, the email address of the account owner, and the IAM role name (OrganizationAccountAccessRole), and click the “Create AWS Account” button to create the AWS account.

    • Invite an existing AWS account: Set the email address or account ID of the AWS account to be invited, click the “Send Invitation” button and wait for the account owner to receive the request to join Organizations, in addition to the existing AWS account requires the existence of the OrganizationAccountAccessRole role If not, please refer to How to add the role of OrganizationAccountAccessRole in AWS account?.

How to get Access key for AWS?

  1. To get the access key on the administrative account of AWS Organizations. It is recommended to use an IAM user with AdministratorAccess privileges to create the access key.
  2. For the specific steps to obtain the access key, please refer to How to get Access key for AWS?.

How to add the role of OrganizationAccountAccessRole in AWS account?

  1. Log in to the AWS Management Console using the AWS master account (or a sub-account with AdministratorAccess administrative privileges) and click the “IAM” menu item to enter the IAM Control Panel page.

  2. Click the “Roles” menu item on the right, and on the Roles page, click the “Create Role” button to enter the Create Role page.

  3. Select the Trusted Entity type as “Another AWS Account”, fill in the account ID of the managed AWS organization, and click the “Next: Permissions” button.

Attach Permissions Policy Select “AdministratorAccess”, click the “Next: Tags” button.

  1. Please configure the tags according to your requirements, and click the “Next: Review” button after the configuration is complete.

  2. Configure the role name as “OrganizationAccountAccessRole” and click the “Create Role” button.