All Collections
For Administrators
Cloud Labs - Bring Your Own (BYO) AWS Account
Cloud Labs - Bring Your Own (BYO) AWS Account

Steps to grant Vocareum permission to use your AWS account(s)

David avatar
Written by David
Updated over a week ago

NOTE: Please refer to the AWS documentation on "Providing access to AWS accounts owned by third parties".

In order for Vocareum to manage your AWS account(s), please use this guide which details how to create a Vocareum administrator role and enable billing reports.

To create the Vocareum administrator role, please take the following steps:

1. Starting with an unused AWS payer account, navigate to IAM roles in the AWS console and create a new role.


2. Choose Another AWS account from the four options presented. In the Account ID field, please enter 117530877863 and verify that the number was entered correctly before proceeding. Click 'Next'.


3. We will add the permission after the role is created. Skip Add permission for now and click 'Next' at the end of the page.


4. Please enter vocareumadmin as the Role name. The role name must be entered correctly for us to assume the role. You may enter 'Admin Access for Vocareum' in the Description but this is not required.

Again we do not add the permission in this step. You may add tags if needed.

Click 'Create role' to finish creating the role.


5. After the role is created. In the Permission tab, click 'Add permissions' and select 'Select inline policy'.

Choose JSON format and cut and paste the following policy into the policy editor:

Please replace the my-billing-bucket with the name of your billing bucket name.

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"organizations:Describe*",
"organizations:List*",
"organizations:MoveAccount",
"organizations:CreateAccount",
"organizations:CreatePolicy",
"organizations:UpdatePolicy",
"organizations:AttachPolicy",
"organizations:DetachPolicy"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:List*",
"s3:Get*"
],
"Resource": "arn:aws:s3:::my-billing-bucket"
},
{
"Effect": "Allow",
"Action": [
"sts:AssumeRole"
],
"Resource": "arn:aws:iam::*:role/vocareum"
}
]
}

Click 'Next'.

Enter 'vocareumadmin-policy' as the policy name. (the name is not critical).

Then click 'Create policy' to create the policy.


6. Back to the 'vocareumadmin' role page, edit the maximum session duration from 1 hour to 12 hours.

Click 'Edit'.

Set the duration to 12 hours, then click 'Save changes'.

The 'vocareumadmin' role setup is completed.


To enable billing reports, please take the following steps:

1. Click on your account name in the navigation bar to open the drop-down menu. Then, click My Account to navigate to the account settings page.


2. Scroll down to the IAM User and Role Access to Billing Information section.

Check the box next to Activate IAM Access and then click Update.


When you have completed these steps, please send an email to support@vocareum.com with the account number of your AWS payer account.

Did this answer your question?