Running Your Environments on AWS Using Your Organization AWS Account
CloudShare enables you to run your environments (either an entire environment or selected VMs) on the AWS public cloud infrastructure. You have the flexibility to choose between running on AWS using a CloudShare AWS account, or running on AWS using your organization’s AWS account (i.e., “bring your own account”).
When you choose to bring your own account, CloudShare spins out and orchestrates your training and POC environments on the AWS infrastructure managed by your organization’s AWS account.
The main steps for integrating AWS infrastructure with CloudShare are:
- Creating AWS Accounts. This step is required when you are using your organization’s AWS account. When you use a CloudShare AWS account, it is not needed.
- Setting Up Your Environment Images. This step grants CloudShare the required access to your AMIs. CloudShare fully supports the addition of public AMIs, Custom AMIs and Marketplace AMIs.
- Setting the Access Role for Your End Users. This step determines which AWS Roles are available for assignment to your end users.
To provide completely isolated environments for each of your end users, CloudShare uses multiple accounts in AWS. This results in a unique environment for each end user via a separate AWS account, enabling each end user access to a true ephemeral environment, as well as the ability to access the AWS Admin Console without any concern over impacting other environments or end users.
Important
The AWS accounts that you create for use with CloudShare should be exclusively dedicated to CloudShare activity and should not be assigned any resources. When CloudShare deletes an environment, it deletes all of the resources that exist under that account.
Note on Resource Cleanup
As part of the cleanup process, CloudShare can map or exclude any additional resources that you need in order to continue working with your AWS accounts. To handle any mapping issues, you should open a support ticket with all of the resources that you want to keep.
Step 1: Increase the number of accounts in your AWS organization.
By default, AWS allows four (4) accounts as the maximum number for an organization. To enable more accounts for use by multiple end users, you should increase the maximum number of accounts in your organization to reflect the total projected number of end users that will participate simultaneously in your training and POC experiences.
To increase the maximum number of accounts for an organization, you should open a ticket to AWS support from your organization root account.
Step 2: Create your accounts.
You can choose to either enable CloudShare to create the accounts on your organization’s behalf automatically, or to create the accounts by yourself:
Enabling CloudShare to create accounts. When you choose this path, you will need to grant CloudShare permission to create accounts under your AWS organization:
- Under your main AWS account, go to the IAM service and create a new role.
- Choose AWS account as the Trusted entity type.
- Select the Another AWS account radio button. The account ID will be provided by CloudShare Support.
- On the next page, create a new policy named CreateAccountPolicy.
- Use the following JSON for the permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"organizations:CreateAccount",
"organizations:DescribeCreateAccountStatus"
],
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow", "Action":
"sts:AssumeRole",
"Resource":
"arn:aws:iam::*:role/OrganizationAccountAccessRole"
}
]
} - Attach the new policy you created.
- Name the new role CreateAccountRole.
Each AWS account is created with an owner (identified by a unique email address). CloudShare needs this information for administration.
Note
CloudShare will not use this email address for any purposes other than for managing the account.
The following is an example of a good email convention:
cloudshare-CUSTOMER_NAME-###@domain.com
CloudShare will automatically replace the ### with a running number (001, 002, etc.) when the associated account is used.
Creating the accounts by yourself – If you choose this path, you are responsible for creating the AWS accounts that will be used by CloudShare to manage your environments for each participant.
After you have created the AWS accounts, you will need to provide CloudShare with a list of the relevant accounts that you’ve created.
Step 3: Grant CloudShare access to manage accounts.
Add the CloudShare working account to the trusted entities list for the AWS Role.
OrganizationAccountAccessRole
This Role is created by AWS automatically on all accounts that belong to an organization. You only need to add the account number to the list of trusted entities to grant CloudShare the required access. Contact CloudShare Support for CloudShare’s account ID.
Comments
0 comments
Please sign in to leave a comment.