Add AWS Cloud Accounts

To manage your Amazon Web Services (AWS) account's resources in Commander, add the cloud account by specifying which method to connect to it.

The following methods are available:

Important: See Get started with AWS for a list of tasks to complete before adding an AWS cloud account.

Add AWS cloud accounts using static credentials

You can provide static credentials to access your AWS cloud account. This is the most common way to add an AWS cloud account.

This method requires your Commander installation to be hosted on an on-premise server.

Access through:

Views > Inventory > Infrastructure, Applications, or Storage tab

Available to:

Commander Roles of Superuser and Enterprise Admin

  1. Click the root node of the inventory tree.
  2. At the top of the Summary page, click Add Cloud Account.
  3. In the Add Cloud Account dialog, from the Cloud Account Type field, select Amazon Web Services.
  4. In the Name field, enter a name for the cloud account.

    Service Portal users may see this name if they have permission.

  5. To authenticate with AWS, do the following:
    • In the Access Key ID field, enter the access key ID from your AWS credentials.
    • In the Secret Access Key field, enter the secret access key from your AWS credentials.
  6. If your account is authorized for GovCloud, enable AWS GovCloud Account.

    AWS GovCloud Region accounts can be obtained only by individuals or entities that qualify as U.S. Persons under applicable regulations.

  7. In the Update Frequency field, enter a value from 10 to 180 minutes.

    By default, Commander retrieves updates from AWS every 60 minutes.

    More frequent updates (meaning lower values for this setting) may impact performance, especially in large installations.

  8. If the Commander server is behind a firewall, enable Use Public Cloud Proxy.

    9. If you haven't already integrated your proxy server with Commander, click Add Public Cloud Proxy Server and configure the proxy. For instructions, see Connect Public Clouds through Web Proxy Servers.

  9. If you want to synchronize AWS tags and custom attributes, for Sync Tags and Custom Attributes, click Configure.

    In the Synchronize AWS Tags and Commander Custom Attributes dialog, configure the following settings, and click OK:

    • Enable Import AWS Tags as Commander Custom Attributes and Export Commander Custom Attributes as AWS Tags as required.
    • To exclude certain AWS tags and custom attributes from synchronization, enter them as a comma-separated list in the Excluded Tags/Custom Attributes text field.

      Tags prefixed with "aws:" are reserved for AWS and are automatically excluded from synchronization. Commander form-type custom attributes are also automatically excluded.

    10. For more information, see Synchronizing AWS Tags and Commander Metadata.

  10. If you want to assume a role from a different account (use AssumeRole) instead of using permanent credentials or roles in the managed account, click Advanced Configuration.

    In the Advanced AWS Configuration dialog, configure the following settings, and click OK:

    1. In the Role ARN field, enter the Amazon Resource Name (ARN) of the role to assume.
    2. In the Default Region field, enter the default region to connect to.
    3. Use AMI Sync to select the Amazon Machine Images (AMIs) you want to synchronize into Commander's inventory. Select All, None, or specify AMI tags and values to synchronize. Both the Tag and Value fields are case-sensitive and the following characters are allowed: letters, numbers, spaces, +, -, =, ., :, /, and @. The Tag field must match the AMI tag exactly. In the Value field, use the wildcards "?" to replace a single character and "*" to replace zero or more characters. So a "*" in the Value field will find all images that have the Tag you specified and an empty Value field will find images with the Tag you specified and no Value entered.

      AMIs that are linked to service catalog entries must be synchronized.

  11. Click OK.

Add AWS cloud accounts using an IAM role and instance profile

You can use an Identity and Access Management (IAM) role and instance profile to access your AWS cloud account.

This method requires the following:

  • Your Commander installation is hosted on an AWS EC2 instance and an IAM role and policy are specified on that EC2 instance.
  • The EC2 instance where Commander is running must also have an IAM role specified as the instance profile.
  • The IAM role must have permissions to manage the desired AWS accounts.

Access:

Views > Inventory > Infrastructure, Applications, or Storage tab

Available to:

Commander Roles of Superuser and Enterprise Admin

  1. Click the root node of the inventory tree.
  2. At the top of the Summary page, click Add Cloud Account.
  3. In the Add Cloud Account dialog, from the Cloud Account Type field, select Amazon Web Services.
  4. In the Name field, enter a name for the cloud account.

    Service Portal users may see this name if they have permission.

  5. Leave the Access Key ID and Secret Access Key fields blank.

    This information isn't required when the cloud account is authenticated through IAM roles and instance profiles.

  6. If your account is authorized for GovCloud, enable AWS GovCloud Account.

    7. AWS GovCloud Region accounts can be obtained only by individuals or entities that qualify as U.S. Persons under applicable regulations.

  7. In the Update Frequency field, enter a value from 10 to 180 in minutes.

    By default, Commander retrieves updates from AWS every 60 minutes.

  8. If the Commander server is behind a firewall, enable Use Public Cloud Proxy.

    9. If you haven't already integrated your proxy server with Commander, click Add Public Cloud Proxy Server and configure the proxy. For instructions, see Connect Public Clouds through Web Proxy Servers.

  9. If you want to synchronize AWS tags and custom attributes, for Sync Tags and Custom Attributes, click Configure.

    In the Synchronize AWS Tags and Commander Custom Attributes dialog, configure the following settings, and click OK:

    • Enable Import AWS Tags as Commander Custom Attributes and Export Commander Custom Attributes as AWS Tags as required.
    • To exclude certain AWS tags and custom attributes from synchronization, enter them as a comma-separated list in the Excluded Tags/Custom Attributes text field.

      Tags prefixed with "aws:" are reserved for AWS and are automatically excluded from synchronization. Commander form-type custom attributes are also automatically excluded.

      For more information, see Synchronize AWS Tags and Commander Metadata.

  10. Click Advanced Configuration, configure the following settings in the Advanced AWS Configuration dialog, and click OK:
    1. In the Role ARN field, enter the Amazon Resource Name (ARN) of the role to assume.
    2. In the Default Region field, enter the default region to connect to.
    3. Use AMI Sync to select the Amazon Machine Images (AMIs) you want to synchronize into Commander's inventory. Select All, None, or specify AMI tags and values to synchronize. Both the Tag and Value fields are case-sensitive and the following characters are allowed: letters, numbers, spaces, +, -, =, ., :, /, and @. The Tag field must match the AMI tag exactly. In the Value field, use the wildcards "?" to replace a single character and "*" to replace zero or more characters. So a "*" in the Value field will find all images that have the Tag you specified and an empty Value field will find images with the Tag you specified and no Value entered.

      AMIs that are linked to service catalog entries must be synchronized.

  11. Click OK.

Add AWS cloud accounts using AssumeRole

You can use AssumeRole to access your AWS cloud account instead of using static credentials or roles in the cloud account. AssumeRole may be considered as sudo for AWS. When using AssumeRole, the resources that are displayed for the cloud account depend on the permissions granted to the role that is assumed.

This method of connecting to an AWS cloud account requires:

  • An Amazon Resource Name (ARN) of the role to assume.
  • The account ID to connect to.

For example: arn:aws:iam::XXXXXXXXXX:role/RoleName.

To add an AWS cloud account using AssumeRole, you can either provide static credentials or an IAM role and instance profile for authentication:

  • If static credentials are provided, they are used to authenticate to AWS and AssumeRole is used to obtain a set of temporary credentials required to connect to the account. In this case, your Commander installation can be hosted on premise or in the cloud.
  • If static credentials are not provided, the AWS authentication must done with the IAM role of the instance Commander is running on. In this case, your Commander installation must be hosted on an AWS EC2 instance and an IAM role and policy must be specified on the EC2 instance where Commander is running.

Access:

Views > Inventory > Infrastructure, Applications, or Storage tab

Available to:

Commander Roles of Superuser and Enterprise Admin

  1. Click the root node of the inventory tree.
  2. At the top of the Summary page, click Add Cloud Account.
  3. In the Add Cloud Account dialog, from the Cloud Account Type field, select Amazon Web Services.
  4. In the Name field, enter a name for the cloud account.

    Service Portal users may see this name if they have permission.

  5. To authenticate with AWS, do one of the following:
    1. If you want to provide static credentials:
      • For Access Key ID, enter the access key ID from your AWS credentials.
      • For Secret Access Key, enter the secret access key from your AWS credentials.
    2. If want to use the IAM role of the instance Commander is running on (instead of providing static AWS credentials) leave the Access Key ID and Secret Access Key fields blank.
  6. If your account is authorized for GovCloud, enable AWS GovCloud Account.

    7. AWS GovCloud Region accounts can be obtained only by individuals or entities that qualify as U.S. Persons under applicable regulations.

  7. For Update Frequency, enter a value from 10 to 180 in minutes.

    By default, Commander retrieves updates from AWS every 60 minutes.

  8. If the Commander server is behind a firewall, enable Use Public Cloud Proxy.

    9. If you haven't already integrated your proxy server with Commander, click Add Public Cloud Proxy Server and configure the proxy. For instructions, see Connect Public Clouds through Web Proxy Servers.

  9. If you want to synchronize AWS tags and custom attributes, for Sync Tags and Custom Attributes, click Configure.

    In the Synchronize AWS Tags and Commander Custom Attributes dialog, configure the following settings, and click OK:

    • Enable Import AWS Tags as Commander Custom Attributes and Export Commander Custom Attributes as AWS Tags as required.
    • To exclude certain AWS tags and custom attributes from synchronization, enter them as a comma-separated list in the Excluded Tags/Custom Attributes text field.

      Tags prefixed with "aws:" are reserved for AWS and are automatically excluded from synchronization. Commander form-type custom attributes are also automatically excluded.

      For more information, see Synchronizing AWS Tags and Commander Metadata.

  10. Click Advanced Configuration, configure the following settings in the Advanced AWS Configuration dialog, and click OK:
    1. In the Role ARN field, enter the Amazon Resource Name (ARN) of the role to assume.
    2. In the Default Region field, enter the default region to connect to.
    3. Use AMI Sync to select the Amazon Machine Images (AMIs) you want to synchronize into Commander's inventory. Select All, None, or specify AMI tags and values to synchronize. Both the Tag and Value fields are case-sensitive and the following characters are allowed: letters, numbers, spaces, +, -, =, ., :, /, and @. The Tag field must match the AMI tag exactly. In the Value field, use the wildcards "?" to replace a single character and "*" to replace zero or more characters. So a "*" in the Value field will find all images that have the Tag you specified and an empty Value field will find images with the Tag you specified and no Value entered.

      AMIs that are linked to service catalog entries must be synchronized.

  11. Click OK.

Set up your AWS account with Amazon Cost Explorer

You can enable Amazon Cost Explorer at the root level on your payer account. This allows you to access data to run the following reports:

  1. Log in to the AWS Management Console page using your AWS payer account credentials. For more information, see AWS Management Console in the AWS documentation.
  2. Search for AWS Cost Explorer.
  3. On the Welcome to Cost Explorer page, select Enable Cost Explorer.
  4. Optional: In the left menu of the AWS Cost Management page, click Preferences and enable Linked Account Access.

    This will automatically enable all linked accounts. If you disable this preference, data for linked accounts will be retrieved through the payer account and the payer account must be in Commander.

  5. Use an IAM policy with the following to grant permission for the Commander user to access AWS Cost Explorer.
    • GetReservationCoverage — Allows data to be retrieved for the Reserved Instance Coverage report.
    • GetReservationPurchaseRecommendation — Allows data to be retrieved for the Reserved Instance Recommendations report.
    • GetReservationUtilization — Allows data to be retrieved for the Reserved Instance Utilization report.

    For more information on IAM roles, see Configure an Instance Profile.