Access Key Setup

To set up an AWS Integration using access keys, you need to perform actions in both AWS and in Virtana Platform. In AWS, you must create a read-only user, set permissions for that user, and copy the user security credentials. You then create an AWS Integration in Virtana Platform and enter the credentials you copied from AWS.

You can create a read-only user with standard permissions or with minimal permissions in AWS.

Steps

Inline policies provide a one-to-one relationship between a specific policy and a specific user, role, or group. In this case, the inline policy will be embedded in the IAM Role, when that role is created.

  1. In your AWS Console, search for IAM, and select the IAM service.

    select-IAM.png
  2. In the navigation pane, select Access Management > Policies and click Create Policy.

  3. Select the JSON tab and replace the default content with the following code:

    {
       "Version": "2012-10-17",
       "Statement": [
        {
          "Action": "ce:Get*",
          "Resource": "*",
          "Effect": "Allow"
        }
      ]
    }
    
  4. Click Next: Tags and add any needed tags.

    Adding tags is optional.

  5. Click Next: Review and provide a descriptive Name for the policy.

    Example: CostExplorerAPIReadOnly

  6. Make a note of the policy name, review the permissions summary, and click Create Policy.

    You will need the policy name to attach this customer managed policy to your IAM role.

Inline policies provide a one-to-one relationship between a specific policy and a specific user, role, or group. In this case, the inline policy will be embedded in the IAM Role, when that role is created.

  1. In your AWS Console, search for IAM, and select the IAM service.

    select-IAM.png

    The Identity and Access Management (IAM) dashboard displays.

  2. In the navigation pane, select Access Management > Policies and click Create Policy.

  3. Select the JSON tab and replace the default content with the following code:

    {   
      "Version": "2012-10-17",
      "Statement": [
        {
           "Effect": "Allow",
           "Action": "cur:DescribeReportDefinitions",
           "Resource": "*"
        }
      ] 
    }
    
  4. Click Next: Tags and add any needed tags.

    Adding tags is optional.

  5. Click Next: Review and provide a descriptive Name for the policy.

    Example: ReadCostAndUsageReportDefinitions

  6. Make a note of the policy name, review the permissions summary, and click Create Policy.

    You will need the policy name to attach this customer managed policy to your IAM role.

You must create a read-only user. You can create a user with standard permissions. with minimal permissions, or with management account permissions.

Complete ONE of the following three tasks.

Standard permissions grant blanket read-only access to collect CloudWatch performance metrics and billing files from S3.

  1. In your AWS Console, search for IAM, and select the IAM service.

  2. In the navigation pane under Access management, click Users.

    A list of users displays.

  3. Click Add Users and enter a User Name.

    Example: VPOptimize-user

  4. For Select AWS access type, select Access key - Programmatic access.

  5. Click Next: Permissions, and then click the Attach existing policies directly tab.

  6. Search “readonly,” then select the check box for ReadOnlyAccess.

    Be sure to select the checkbox. Selecting the policy name displays details about the policy.

    If the policy does not display, you might need to reset the Filter pollicies settings.

  7. Attach to the user the 2 in-line policies you previously created:

    1. Click Filter policies and select Customer managed.

      customer-managed
    2. Clear any text in the search field.

    3. Find and click the checkbox to select the Cost Explorer in-line policy you created.

      Example: CostExplorerAPIReadOnly

    4. Find and click the checkbox to select the Cost and Usage Reports in-line policy you created.

      Example: ReadCostAndUsageReportDefinitions

  8. Click Next: Tags and add tags if you choose to.

    Adding tags is optional.

  9. Click Next: Review, review the details, and then click Create User.

  10. Immediately download or copy the User Security Credentials.

    You need these authentication parameters to complete the AWS integration in Virtana Platform.

    Important

    You will not be able to access the Secret Access Key again in AWS, so it is recommended that you download and securely save the credentials now.

  11. Click Close.

  12. Navigate to AWS Cost Management > Reports and click the name of the report to be used by Virtana Platform as the source of detailed billing data.

  13. On the Report Details page, make note of the S3 bucket name and the report path prefix.

    This information must be entered in the Optimize integration setup form to complete the integration setup.

Next Steps

Enter the AWS Values in Virtana Platform

This setup method grants read-only access to collect CloudWatch performance metrics and billing files. It is limited to only the AWS services for which Virtana Platform Optimize provides cost reports.

If you want to use a limited read-only access policy, you need to create a custom policy first.

  1. In your AWS Console, search for IAM, and select the IAM service.

  2. In the navigation pane under Access management, click Policies and click Create Policy.

  3. Select the JSON tab and replace the default content with the following code:

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Action": [
            "cloudwatch:Get*",
            "cloudwatch:List*",
            "cloudwatch:Describe*",
            "ec2:Get*",
            "ec2:Describe*",
            "elasticloadbalancing:Describe*",
            "iam:Get*",
            "rds:Describe*",
            "rds:List*",
            "s3:Get*",
            "s3:List*",
            "s3:Describe*",
            "tag:Get*",
            "tag:Describe*"
          ],
          "Effect": "Allow",
          "Resource": "*"
        }
      ]
    }
    
  4. Click Next: Tags and add tags if you choose to.

    Adding tags is optional.

  5. Click Next: Review, add a policy Name and Description and verify the Summary.

    Example: MinimalReadonlyAccessKey

  6. Click Create Policy.

    The policy will now be available under Customer Managed Policies.

  7. Return to the IAM dashboard in AWS and navigate to the Users section.

  8. Click Add Users and enter a User Name.

    Example: VPOptimizeUser

  9. Under Select AWS access type, select Access Key - Programmatic access and then click Next: Permissions.

  10. Click the tab Attach existing policies directly.

  11. Attach to the user the read-only policy and the 2 in-line policies you created:

    1. Click Filter policies and select Customer managed.

      customer-managed
    2. Clear any text in the search field.

    3. Locate the 3 policies in the list and select the checkboxes to attach the permissions to the role.

      • Minimal permissions

        Example: MinimalReadonlyAccessKey

      • In-line policy for cost explorer API access

        Example: CostExplorerAPIReadonly

      • In-line policy for cost and usage report read access

        Example: ReadCostAndUsageReportDefinitions

      Be sure to select the checkbox. Selecting the policy name displays details about the policy.

  12. Select Create user without a permissions boundary.

  13. Click Next: Tags and add tags if you choose to.

    Adding tags is optional.

  14. Click Next: Review, verify the details, and then click Create User.

  15. Immediately download or copy the Access key ID and Secret access key.

    You need these authentication parameters to complete the AWS integration in Virtana Platform.

    Important

    You will not be able to access the Secret Access Key again in AWS, so it is recommended that you download and securely save the credentials now.

  16. Click Close.

  17. Navigate to AWS Cost Management > Reports and click the name of the report to be used by Virtana Platform as the source of detailed billing data.

  18. On the Report Details page, make note of the S3 bucket name and the report path prefix.

    This information must be entered in the Optimize integration setup form to complete the integration setup.

Next Steps

Enter the AWS Values in Virtana Platform

This setup method provides a shared management account with limited access. It grants read-only access to collect billing files from a single s3 bucket that can be located in a management account.

The management account permissions are useful if you store billing files in a shared management account and need to grant Optimize restricted access to one specific S3 bucket.

Note

Optimize only reads the costs for accounts that Optimize monitors. Data for unrelated accounts is discarded.

About This Task

As part of this task you will create a policy and a user. You must copy the Cost & Usage Report S3 bucket name, report path prefix, Access Key ID, and Secret Access Key to enter in Virtana Platform.

Prerequisites

You need the name of the AWS bucket associated with your CUR files.

Steps

  1. In your AWS Console, search for IAM, and select the IAM service.

    select-IAM.png
  2. In the navigation pane, select Access Management > Policies and click Create Policy.

  3. Switch to the JSON tab, replace the existing content with the following code, and replace 2 instances of your-bucket-name in the code with the name of the bucket associated with your CUR files.

    Example: Eng_bucket

    There are two instances of your-bucket-name that need replacing.

          {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": [
            "s3:ListBucket"
          ],
          "Resource": [
            "arn:aws:s3:::your-bucket-name"
          ]
        },
        {
          "Effect": "Allow",
          "Action": [
            "s3:GetObject"
          ],
          "Resource": [
            "arn:aws:s3:::your-bucket-name/*"
          ]
        }
      ]
    }      
  4. Click Next: Review and provide a descriptive Name for the policy.

    Example: EngBucketReadOnly

  5. Make a note of the policy name, review the permissions summary, and click Create Policy.

    You will need the policy name to attach this customer managed policy to your IAM role.

  6. Return to the IAM dashboard in AWS and navigate to the Users section.

  7. Click Add Users and enter a User Name.

    Example: VPOptimizeUser

  8. Under Select AWS access type, select Access Key - Programmatic access and then click Next: Permissions.

  9. Click the tab Attach existing policies directly.

  10. Attach to the user the read-only policy and the 2 in-line policies you created:

    1. Click Filter policies and select Customer managed.

      customer-managed
    2. Clear any text in the search field.

    3. Locate the 3 policies in the list and select the checkboxes to attach the permissions to the role.

      Be sure to select the checkbox. Selecting the policy name displays details about the policy.

      • Minimal permissions

        Example: MinimalReadonlyAccessKey

      • In-line policy for cost explorer API access

        Example: CostExplorerAPIReadonly

      • In-line policy for cost and usage report read access

        Example: ReadCostAndUsageReportDefinitions

  11. Select Create user without a permissions boundary.

  12. Click Next: Tags and add tags if you choose to.

    Adding tags is optional.

  13. Click Next: Review, verify the details, and then click Create User.

  14. Immediately download or copy the Access key ID and Secret access key.

    You need these authentication parameters to complete the AWS integration in Virtana Platform.

    Important

    You will not be able to access the Secret Access Key again in AWS, so it is recommended that you download and securely save the credentials now.

  15. Click Close.

  16. Navigate to AWS Cost Management > Reports and click the name of the report to be used by Virtana Platform as the source of detailed billing data.

  17. On the Report Details page, make note of the S3 bucket name and the report path prefix.

    This information must be entered in the Optimize integration setup form to complete the integration setup.

Next Steps

Enter the AWS Values in Virtana Platform