Skip to main content
All CollectionsFor Administrators
Cloud Labs - Bring Your Own (BYO) AWS Account
Cloud Labs - Bring Your Own (BYO) AWS Account

Steps to grant Vocareum permission to use your AWS account(s)

David avatar
Written by David
Updated over 3 months ago

In order for Vocareum to manage your AWS account(s), please use this guide which details how to create a Vocareum administrator IAM role or user in your accounts and enable billing reports.

Vocareum supports use of an IAM role or, an IAM user to access your accounts.

To use an IAM role, please refer to the section "To create the Vocareum Adminstrator role, please take the following steps:".

To use a IAM user, please refer to the section "To create the Vocareum Adminstrator user, please take the following steps:".

To create the Vocareum administrator role, please take the following steps:

1. Starting with an unused AWS payer account, navigate to IAM roles in the AWS console and create a new role.


2. Choose Another AWS account from the four options presented. In the Account ID field, please enter 117530877863 and verify that the number was entered correctly before proceeding. Optionally, you can check the option 'Require external ID' and enter a string in the field.

Click 'Next'.


3. We will add the permission after the role is created. Skip Add permission for now and click 'Next' at the end of the page.


4. Please enter vocareumadmin as the Role name. The role name must be entered correctly for us to assume the role. You may enter 'Admin Access for Vocareum' in the Description but this is not required.

Again we do not add the permission in this step. You may add tags if needed.

Click 'Create role' to finish creating the role.


5. After the role is created. In the Permission tab, click 'Add permissions' and select 'Select inline policy'.

Choose JSON format and cut and paste the following policy into the policy editor:

Please replace the my-billing-bucket with the name of your billing bucket name.

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"organizations:Describe*",
"organizations:List*",
"organizations:MoveAccount",
"organizations:CreateAccount",
"organizations:CreatePolicy",
"organizations:UpdatePolicy",
"organizations:AttachPolicy",
"organizations:DetachPolicy"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:List*",
"s3:Get*"
],
"Resource": "arn:aws:s3:::my-billing-bucket"
},
{
"Effect": "Allow",
"Action": [
"sts:AssumeRole"
],
"Resource": [
"arn:aws:iam::*:role/vocareum",
"arn:aws:iam::*:role/voclabs"
]
}
]
}

Click 'Next'.

Enter 'vocareumadmin-policy' as the policy name. (the name is not critical).

Then click 'Create policy' to create the policy.


6. Back to the 'vocareumadmin' role page, edit the maximum session duration from 1 hour to 12 hours.

Click 'Edit'.

Set the duration to 12 hours, then click 'Save changes'.

The 'vocareumadmin' role setup is completed.


7. Go to the Vocareum Control Center Payers page. Click 'Add new payer' to add your new BYO payer.

Enter the payer account id, select 'IAM Role' in the Access selection, enter the optional 'External Id' (a string that Vocareum can pass in when assuming the vocareumadmin role for additional security) and other required information. Click 'Save'

The 'IAM Role' setup is completed.


To create the Vocareum administrator IAM user, please take the following steps:

1. Starting with an unused AWS payer account, navigate to IAM Policies in the AWS console and create a new policy.


2. Choose JSON format and cut and paste the following policy into the policy editor:

Please replace the my-billing-bucket with the name of your billing bucket name.

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"organizations:Describe*",
"organizations:List*",
"organizations:MoveAccount",
"organizations:CreateAccount",
"organizations:CreatePolicy",
"organizations:UpdatePolicy",
"organizations:AttachPolicy",
"organizations:DetachPolicy"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:List*",
"s3:Get*"
],
"Resource": "arn:aws:s3:::my-billing-bucket"
},
{
"Effect": "Allow",
"Action": [
"sts:AssumeRole"
],
"Resource": [
"arn:aws:iam::*:role/vocareum",
"arn:aws:iam::*:role/voclabs"
]
}
]
}

Click 'Next'.


3. Enter 'vocareumadmin-policy' as the policy name. Optionally enter description. Then go to the end of the page and click 'Create policy' to create the policy.


4. Please create an IAM user vocareumadmin. Vocareum will access the BYO payer account via API using the vocareumadmin user credentials. Leave the 'Provide user access to the AWS Management Console' checkbox unchecked. We will create access key for vocareumadmin after the user is created.

Click 'Next'.


5. Next in the Set Permissions, choose 'Attach policies directly' and select the 'vocareumadmin-policy' that we created earlier.

Click 'Next' to continue and the click 'Create user'.


6. Select the 'vocareumadmin' user page, click 'Create access key'.

Choose 'Other'. Click 'Next' to continue.

Set description tag optionally then click 'Create access key'.

Store the generated access key is and secret in a secure way. We will enter them in Vocareum Control Center Payers page.


7. Go to the Vocareum Control Center Payers page. Click 'Add new payer' to add your new BYO payer.

Enter the payer account id, select 'IAM User' in the Access selection, enter the keyid, secret, and other required information. Click 'Save'

The 'IAM User' setup is completed


To enable billing reports, please take the following steps:

1. Click on your account name in the navigation bar to open the drop-down menu. Then, click My Account to navigate to the account settings page.


2. Scroll down to the IAM User and Role Access to Billing Information section.

Check the box next to Activate IAM Access and then click Update.


3. In the Billing and Cost Management Console, choose 'Billing Preferences' from the left panel.

Click' Edit' to configure your billing bucket to receive the bill files.


4. In the S3 Console, enable the vocareumadmin role to retrieve bill files from you billing bucket by doing the following:

Choose your billing bucket from the S3 console, then choose the 'Permissions' tab and scroll to the Bucket policy section.

Click 'Edit' the edit the bucket policy, add the following statement to the policy

{
"Sid": "StmtPayerAccess",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<<you payer account id>>:role/vocareumadmin"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::<<your billing bucket>>/*"
}

Save the changes to update the policy.


When you have completed these steps, please send an email to support@vocareum.com with the account number of your AWS payer account.

Did this answer your question?