Skip to main content
All CollectionsFor Administrators
Cloud Labs: Bring Your Own AWS Account
Cloud Labs: Bring Your Own AWS Account

Steps to grant Vocareum permission to use your AWS account

David avatar
Written by David
Updated over 2 weeks ago

In order for Vocareum to provision AWS resources in Cloud Labs, you will need to grant Vocareum permission to manage relevant aspects of your AWS organization. Permission is configured using AWS Identity and Access Management (IAM).

Please refer to the following AWS documentation for further context: IAM users and Access to AWS accounts owned by third parties.

This guide details how to create a Vocareum administrator IAM role or IAM user in your accounts and enable billing reports.

Vocareum supports use of either an IAM role or an IAM user to access your AWS account(s). Based on your preference, carry out the steps in one of the following sections:

Once you have created the required IAM user or role, proceed to the section: Enable Billing Reports.

Create the Vocareum Administrator IAM Role

1. Starting with an unused AWS payer account, navigate to IAM roles in the AWS console and create a new role.

2. Choose Another AWS account from the four options presented. In the Account ID field, please enter 117530877863 and verify that the number was entered correctly before proceeding. Optionally, you can check the option 'Require external ID' and enter a string in the field.

Click 'Next'.

3. We will add the permission after the role is created. Skip Add permission for now and click 'Next' at the end of the page.

4. Please enter vocareumadmin as the Role name. The role name must be entered correctly for us to assume the role. You may enter 'Admin Access for Vocareum' in the Description but this is not required.

Again we do not add the permission in this step. You may add tags if needed.

Click 'Create role' to finish creating the role.

5. After the role is created. In the Permission tab, click 'Add permissions' and select 'Select inline policy'.

Choose JSON format and cut and paste the following policy into the policy editor:

Please replace the my-billing-bucket with the name of your billing bucket name.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "organizations:Describe*",
                "organizations:List*",
                "organizations:MoveAccount",
                "organizations:CreateAccount",
                "organizations:CreatePolicy",
                "organizations:UpdatePolicy",
                "organizations:AttachPolicy",
                "organizations:DetachPolicy"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:List*",
                "s3:Get*"
            ],
            "Resource": "arn:aws:s3:::my-billing-bucket"
        },
        {
            "Effect": "Allow",
            "Action": [
                "sts:AssumeRole"
            ],
            "Resource": [
                "arn:aws:iam::*:role/vocareum",
                "arn:aws:iam::*:role/voclabs"
            ]
        }
    ]
}

Click 'Next'.

Enter 'vocareumadmin-policy' as the policy name. (the name is not critical).

Then click 'Create policy' to create the policy.

6. Back to the 'vocareumadmin' role page, edit the maximum session duration from 1 hour to 12 hours.

Click 'Edit'.

Set the duration to 12 hours, then click 'Save changes'.

The 'vocareumadmin' role setup is completed.

7. Go to the Vocareum Control Center Payers page. Click 'Add new payer' to add your new BYO payer.

Enter the payer account id, select 'IAM Role' in the Access selection, enter the optional 'External Id' (a string that Vocareum can pass in when assuming the vocareumadmin role for additional security) and other required information. Click 'Save'

The 'IAM Role' setup is completed.

Please proceed to the section: Enable Billing Reports.

Create the Vocareum Administrator IAM User

NOTE: You can choose to create the required Vocareum Administrator either as an IAM User or an IAM Role. You do not need to create both.

1. Starting with an unused AWS payer account, navigate to IAM Policies in the AWS console and create a new policy.

2. Choose JSON format and cut and paste the following policy into the policy editor:

Please replace the my-billing-bucket with the name of your billing bucket name.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "organizations:Describe*",
                "organizations:List*",
                "organizations:MoveAccount",
                "organizations:CreateAccount",
                "organizations:CreatePolicy",
                "organizations:UpdatePolicy",
                "organizations:AttachPolicy",
                "organizations:DetachPolicy"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:List*",
                "s3:Get*"
            ],
            "Resource": "arn:aws:s3:::my-billing-bucket"
        },
        {
            "Effect": "Allow",
            "Action": [
                "sts:AssumeRole"
            ],
            "Resource": [
                "arn:aws:iam::*:role/vocareum",
                "arn:aws:iam::*:role/voclabs"
            ]
        }
    ]
}

Click 'Next'.

3. Enter 'vocareumadmin-policy' as the policy name. Optionally enter description. Then go to the end of the page and click 'Create policy' to create the policy.

4. Please create an IAM user vocareumadmin. Vocareum will access the BYO payer account via API using the vocareumadmin user credentials. Leave the 'Provide user access to the AWS Management Console' checkbox unchecked. We will create access key for vocareumadmin after the user is created.

Click 'Next'.

5. Next in the Set Permissions, choose 'Attach policies directly' and select the 'vocareumadmin-policy' that we created earlier.

Click 'Next' to continue and the click 'Create user'.

6. Select the 'vocareumadmin' user page, click 'Create access key'.

Choose 'Other'. Click 'Next' to continue.

Set description tag optionally then click 'Create access key'.

Store the generated access key is and secret in a secure way. We will enter them in Vocareum Control Center Payers page.

7. Go to the Vocareum Control Center Payers page. Click 'Add new payer' to add your new BYO payer.

Enter the payer account id, select 'IAM User' in the Access selection, enter the keyid, secret, and other required information. Click 'Save'

The 'IAM User' setup is completed

Enable Billing Reports

1. Click on your account name in the navigation bar to open the drop-down menu. Then, click My Account to navigate to the account settings page.

2. Scroll down to the IAM User and Role Access to Billing Information section.

Check the box next to Activate IAM Access and then click Update.

3. In the Billing and Cost Management Console, choose 'Billing Preferences' from the left panel.

Click' Edit' to configure your billing bucket to receive the bill files.

4. In the S3 Console, enable the vocareumadmin role to retrieve bill files from you billing bucket by doing the following:

Choose your billing bucket from the S3 console, then choose the 'Permissions' tab and scroll to the Bucket policy section.

Click 'Edit' the edit the bucket policy, add the following statement to the policy

{
            "Sid": "StmtPayerAccess",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::<<you payer account id>>:role/vocareumadmin"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::<<your billing bucket>>/*"
  }

Save the changes to update the policy.

When you have completed these steps, please send an email to support@vocareum.com with the account number of your AWS payer account.

Did this answer your question?