AWS Single Account (SA) Setup
AWS Single Account (SA) Setup
CloudShare’s AWS single account setup enables you to run all of your training, demos, and POCs through a single account with your own licenses.
This article includes the following:
-
Basic customer setup guide
- Option #1 - Access Key
- Option #2 - IAM role (Preferred)
- Setup guide for AMIs/CMKs
Basic Customer Setup
Option #1 - Access Key
- In AWS, copy the AWS account ID for the account you want CloudShare to use.
-
To create an IAM user for CloudShare, go to IAM → Users → Add users.
-
Enter your username and select the Access key – Programmatic access credential type.
-
Select Attach existing policies directly and create a “GeneralAssumeRolePolicy” policy with JSON.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "*"
}
]
}
- Attach the “GeneralAssumeRolePolicy” and “AmazonEC2FullAccess” policies to the user.
-
To use AWS SA with service principle credentials, skip the next steps, create a user, and copy the Access key ID and Secret access key.
Required Data for CloudShare:
Provide CloudShare with the AWS Account ID and the Access Key ID and Secret Access you created during the previous steps.
Option #2 - IAM role (Preferred)
To use AWS SA with access role create role and policy, give the permissions to the resources that you want to read/write/delete in the AWS SA flow. Contact CloudShare Support <support@cloudshare.com> for CloudShare’s AWS account ID. Then set this AWS account ID as a trusted account in the Trust relationships tab.
Required Data for CloudShare:
Provide CloudShare with the AWS Account ID and the IAM role name
Note
-
- Using resources from other AWS accounts: If you require using AMIs/CMKs that are hosted on other AWS accounts, you can request the additional guide covering those topics.
Setup Guide for AMIs/CMKs
To use existing functionality for AMIs and CMKs that are stored in different accounts/organizations, follow the steps below (for accounts where AMIs and CMKs are stored).
CMKs
-
Go to Key Management Service (KMS) → Customer managed keys, and select a region.
-
Create a key with:
- Key type - Symmetric
-
Key usage - Encrypt and decrypt
-
Enter the AWS_SA_KMS alias name, and create a key.
- Skip the Define key administrative permissions and Define key usage permissions steps, and finish the key creation.
Policies
- Go to IAM → Policies.
-
Create a policy with JSON, skip the tags step, and name it “ModifyImage”.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "ec2:ModifyImageAttribute",
"Resource": "*",
"Condition": {}
}
]
}
- Create a ModifyImageCMK policy with JSON (edit the JSON resource with your values "arn:aws:kms:{your-region}:{account-id}:key/{cmk-key-id}")
{ |
Roles
-
Go to IAM → Roles.
- Create a role with: Trusted entity type - AWS Account; and An AWS account – the account you will use.
-
Select Require external ID and enter a valid external ID value.
-
Attach ModifyImage and ModifyImageCMK to the role.
-
Enter the ModifyImage role name and create a role.
-
If you want to add more trusted accounts, open the ModifyImage role → Trust relationships → Edit trust policy. Then add your accounts into the AWS section.
AMI
-
Create your AMI. For example, EC2 → Instances, and then create an instance.
- Enter the instance name and select the appropriate image.
-
In the Key pair section select Proceed without a key pair and launch the instance.
- Wait for the instance to start.
- Open an instance, create the AMI, and wait for the creation process to finish.
Comments
0 comments
Please sign in to leave a comment.