Adding AWS Cloud Accounts

To manage your Amazon Web Services (AWS) account's resources in Commander, add the cloud account by specifying which method to connect to it. The following methods are available:

Important: See Getting started with AWS for a list of tasks to complete before adding an AWS cloud account.

After the cloud account is added to Commander:

If you make changes to the cloud account and you want these changes to be visible in Commander before the next scheduled update, you can synchronize the inventory. For more information, see Synchronizing Inventory.

Adding AWS cloud accounts using static credentials

You can provide static credentials to access your AWS cloud account. This is the most common way to add an AWS cloud account.

This method requires your Commander installation to be hosted on an on-premise server.

Access through:

Views > Inventory > Infrastructure, Applications, or Storage tab

Available to:

Commander Roles of Superuser and Enterprise Admin

To add an AWS cloud account using static AWS credentials:

  1. Click the root node of the inventory tree.
  2. At the top of the Summary page, click Add Cloud Account.
  3. In the Add Cloud Account dialog, from the Cloud Account Type field, select Amazon Web Services.
  4. In the Name field, enter a name for the cloud account.

    Service Portal users may see this name if they have permission.

  5. To authenticate with AWS, do the following:
    • In the Access Key ID field, enter the access key ID from your AWS credentials.
    • In the Secret Access Key field, enter the secret access key from your AWS credentials.
  6. If your account is authorized for GovCloud, enable AWS GovCloud Account.

    Note: AWS GovCloud Region accounts can be obtained only by individuals or entities that qualify as U.S. Persons under applicable regulations.

  7. In the Update Frequency field, enter a value from 10 to 180 minutes.

    By default, Commander retrieves updates from AWS every 60 minutes.

    Note: More frequent updates (meaning lower values for this setting) may impact performance, especially in large installations.

  8. If the Commander server is behind a firewall, enable Use Public Cloud Proxy.
  9. Note: If you haven't already integrated your proxy server with Commander, click Add Public Cloud Proxy Server and configure the proxy. For instructions, see Connecting Public Clouds through a Web Proxy Server.

  10. If you want to synchronize AWS tags and custom attributes, for Sync Tags and Custom Attributes, click Configure.

    In the Synchronize AWS Tags and Commander Custom Attributes dialog, configure the following settings, and click OK:

    • Enable Import AWS Tags as Commander Custom Attributes and Export Commander Custom Attributes as AWS Tags as required.
    • To exclude certain AWS tags and custom attributes from synchronization, enter them as a comma-separated list in the Excluded Tags/Custom Attributes text field.

      Note: Tags prefixed with "aws:" are reserved for AWS and are automatically excluded from sync. Commander form-type custom attributes are also automatically excluded.

  11. To learn more, see Synchronizing AWS Tags and Commander Metadata.

  12. If you want to assume a role from a different account (use AssumeRole) instead of using permanent credentials or roles in the managed account, click Advanced Configuration.

    In the Advanced AWS Configuration dialog, configure the following settings, and click OK:

    • In the Role ARN field, enter the Amazon Resource Name (ARN) of the role to assume.
    • In the Default Region field, enter the default region to connect to.
  13. Click OK.

Adding AWS cloud accounts using an IAM role and instance profile

You can use an Identity and Access Management (IAM) role and instance profile to access your AWS cloud account.

This method requires the following:

  • Your Commander installation is hosted on an AWS EC2 instance and an IAM role and policy are specified on that EC2 instance.
  • The EC2 instance where Commander is running must also have an IAM role specified as the instance profile.
  • The IAM role must have permissions to manage the desired AWS accounts.

Access through:

Views > Inventory > Infrastructure, Applications, or Storage tab

Available to:

Commander Roles of Superuser and Enterprise Admin

To add an AWS cloud account using an IAM role and instance profile:

  1. Click the root node of the inventory tree.
  2. At the top of the Summary page, click Add Cloud Account.
  3. In the Add Cloud Account dialog, from the Cloud Account Type field, select Amazon Web Services.
  4. In the Name field, enter a name for the cloud account.

    Service Portal users may see this name if they have permission.

  5. Leave the Access Key ID and Secret Access Key fields blank.

    Note: This information isn't required when the cloud account is authenticated through IAM roles and instance profiles.

  6. If your account is authorized for GovCloud, enable AWS GovCloud Account.
  7. Note: AWS GovCloud Region accounts can be obtained only by individuals or entities that qualify as U.S. Persons under applicable regulations.

  8. In the Update Frequency field, enter a value from 10 to 180 in minutes.

    By default, Commander retrieves updates from AWS every 60 minutes.

  9. If the Commander server is behind a firewall, enable Use Public Cloud Proxy.
  10. Note: If you haven't already integrated your proxy server with Commander, click Add Public Cloud Proxy Server and configure the proxy. For instructions, see Connecting AWS to Commander through a Proxy Server.

  11. If you want to synchronize AWS tags and custom attributes, for Sync Tags and Custom Attributes, click Configure.

    In the Synchronize AWS Tags and Commander Custom Attributes dialog, configure the following settings, and click OK:

    • Enable Import AWS Tags as Commander Custom Attributes and Export Commander Custom Attributes as AWS Tags as required.
    • To exclude certain AWS tags and custom attributes from synchronization, enter them as a comma-separated list in the Excluded Tags/Custom Attributes text field.

      Note: Tags prefixed with "aws:" are reserved for AWS and are automatically excluded from sync. Commander form-type custom attributes are also automatically excluded.

      To learn more, see Synchronizing AWS Tags and Commander Metadata.

  12. Click Advanced Configuration, and then configure the following settings in the Advanced AWS Configuration dialog:
    1. In the Role ARN field, enter the Amazon Resource Name (ARN) of the role to assume.
    2. In the Default Region field, enter the default region to connect to.
    1. Click OK.
  13. Click OK.

Adding AWS cloud accounts using AssumeRole

You can use AssumeRole to access your AWS cloud account instead of using static credentials or roles in the cloud account. AssumeRole may be considered as sudo for AWS. When using AssumeRole, the resources that are displayed for the cloud account depend on the permissions granted to the role that is assumed.

This method of connecting to an AWS cloud account requires:

  • An Amazon Resource Name (ARN) of the role to assume.
  • The account ID to connect to.

For example: arn:aws:iam::XXXXXXXXXX:role/RoleName.

To add an AWS cloud account using AssumeRole, you can either provide static credentials or an IAM role and instance profile for authentication:

  • If static credentials are provided, they are used to authenticate to AWS and AssumeRole is used to obtain a set of temporary credentials required to connect to the account. In this case, your Commander installation can be hosted on premise or in the cloud.
  • If static credentials are not provided, the AWS authentication must done with the IAM role of the instance Commander is running on. In this case, your Commander installation must be hosted on an AWS EC2 instance and an IAM role and policy must be specified on the EC2 instance where Commander is running.

Access through:

Views > Inventory > Infrastructure, Applications, or Storage tab

Available to:

Commander Roles of Superuser and Enterprise Admin

To add an AWS cloud account using AssumeRole:

  1. Click the root node of the inventory tree.
  2. At the top of the Summary page, click Add Cloud Account.
  3. In the Add Cloud Account dialog, from the Cloud Account Type field, select Amazon Web Services.
  4. In the Name field, enter a name for the cloud account.

    Service Portal users may see this name if they have permission.

  5. To authenticate with AWS, do one of the following:
    1. If you want to provide static credentials:
      • For Access Key ID, enter the access key ID from your AWS credentials.
      • For Secret Access Key, enter the secret access key from your AWS credentials.
    2. If want to use the IAM role of the instance Commander is running on (instead of providing static AWS credentials) leave the Access Key ID and Secret Access Key fields blank.
  6. If your account is authorized for GovCloud, enable AWS GovCloud Account.
  7. Note: AWS GovCloud Region accounts can be obtained only by individuals or entities that qualify as U.S. Persons under applicable regulations.

  8. For Update Frequency, enter a value from 10 to 180 in minutes.

    By default, Commander retrieves updates from AWS every 60 minutes.

  9. If the Commander server is behind a firewall, enable Use Public Cloud Proxy.
  10. Note: If you haven't already integrated your proxy server with Commander, click Add Public Cloud Proxy Server and configure the proxy. For instructions, see Connecting Public Clouds through a Web Proxy Server.

  11. If you want to synchronize AWS tags and custom attributes, for Sync Tags and Custom Attributes, click Configure.

    In the Synchronize AWS Tags and Commander Custom Attributes dialog, configure the following settings, and click OK:

    • Enable Import AWS Tags as Commander Custom Attributes and Export Commander Custom Attributes as AWS Tags as required.
    • To exclude certain AWS tags and custom attributes from synchronization, enter them as a comma-separated list in the Excluded Tags/Custom Attributes text field.

      Note: Tags prefixed with "aws:" are reserved for AWS and are automatically excluded from sync. Commander form-type custom attributes are also automatically excluded.

      To learn more, see Synchronizing AWS Tags and Commander Metadata.

  12. Click Advanced Configuration, configure the following settings in the Advanced AWS Configuration dialog, and click OK:
    • In the Role ARN field, enter the Amazon Resource Name (ARN) of the role to assume.
    • In the Default Region field, enter the default region to connect to.
  13. Click OK.

Setting up your AWS account with Amazon Cost Explorer

You can enable Amazon Cost Explorer at the root level on your payer account. This allows you to access data to run the Reserved Instance Utilization Report and the Reserved Instance Coverage Report.

To set up your AWS account with Amazon Cost Explorer:

  1. Log in to the AWS Management Console page using your AWS payer account credentials. For more information, see AWS Management Console in the AWS documentation.
  2. Search for AWS Cost Explorer.
  3. On the Welcome to Cost Explorer page, select Enable Cost Explorer.
  4. Optionally, in the left menu of the AWS Cost Management page, click Preferences and enable Linked Account Access.

    This will automatically enable all linked accounts. If you disable this preference, data for linked accounts will be retrieved through the payer account and the payer account must be in Commander.

  5. Use an IAM policy to grant permission for the Commander user to access AWS Cost Explorer.
    • To retrieve data for the Reserved Instance Utilization report, select GetReservationUtilization permission.
    • To retrieve data for the Reserved Instance Coverage report, select GetReservationCoverage permission.

    For more information on IAM roles, see Configure an Instance Profile.