Edit me

YAML file for CUR, S3 bucket, IAM Policy and nOps ShareSave linked accounts to your AWS Organization

In this article:

Prerequisites

To take advantage of all nOps ShareSave Program, you must subscribe ONCE to nOps AWS Marketplace offering. If you have previously subscribe, you are all set to take advantage of all of nOps ShareSave Programs. If not, it’s easy to subscribe and nOps will not charge anything unless we save you money:

  1. Log in to your AWS Payer/Management account with your IAM user.
  2. Click the for Following link: nOps AWS Marketplace Offering
  3. Once on the nOps offering, Click “View Offering“, “Subscribe” and finally “setup Account“. That’s it, you’re done, now it’s time to save!

Steps for Automated Setup for Auto-Pilot Risk-Free Commitment Management

The automated setup is simple, easy and takes only 5 minutes:

  1. On your AWS Payer/Management account, nOps will create a new hourly Cost/Usage Report(CUR), S3 bucket for the CUR and nOps ShareSave Payer cross-account role/policy :
    1. Trusted Entity Type: AWS Account
    2. Trusted Entity: nOps
    3. Role name: nops-sharesave-payer
    4. IAM Policy for the Role: IAM Policy
    5. Automated Creation: YAML File
  2. nOps will link two nOps ShareSave accounts to your AWS Organization in your AWS Payer/Management account:

    1. ShareSave Compute <xx> – used by nOps to buy/sell EC2 3-year Standard Reserved Instances and buy 3-year Compute Savings Plans.
      1. Trusted Entity Type: AWS Account_Trusted
      2. Entity: nOps
      3. Role name: nops-sharesave-ri
      4. IAM Policy for the Role: IAM Policy
      5. Automated Creation: NA – preloaded
    2. ShareSave Other <xx> – used by nOps to buy current generation/flexible 1-year Reserved Instances for RDS, Redshift, OpenSearch, and ElasticCache.
      1. Trusted Entity Type: AWS Account
      2. Trusted Entity: nOps
      3. Role name: nops-sharesave-ri
      4. IAM Policy for the Role: IAM Policy
      5. Automated Creation: NA – preloaded

How to kick off the automated setup and begin saving!

To begin savings via nOps ShareSave – Auto-Pilot Risk-free Commitment Management, follow these steps:

  1. Log in to your AWS Payer/Management account with your IAM user
  2. In another tab, Log in to your nOps Client and head over to the ShareSave dashboard:
  3. On the ShareSave Opportunity dashboard, in the List of Opportunities section, click the Configure Risk Free Commitment button:
  4. Once you click the Configure Risk Free Commitment button, the following pop-up will appear:
    1. If the pop-up does not appear, make sure that the pop-up isn’t being blocked by your browser.
    2. Before you click Proceed, make sure that you’re logged in to your AWS Payer/Management account in the same browser.
  5. After you click Proceed, nOps will take you to your AWS console’s CloudFormation Quick create stack page —with all the required information pre-filled
    Acknowledge and click Create stack:
    NOTE: The CloudFormation will take about 3-5mins to complete
  6. Once the CloudFormation has completed, go to AWS Organizations via the AWS Console to see the two nOps ShareSave Accounts added

ShareSave: Auto-Pilot Risk-Free Commitment Management configuration is now complete.


Note: It will take up to 7 days for nOps Auto-Pilot Risk-Free Commitment Management AI to begin buying commitments within the ShareSave accounts

Referenced Information from Above:

AWS Payer Account, YAML File for CUR, S3 bucket, and nOps Role/Policy

ShareSave YAML file

AWSTemplateFormatVersion: "2010-09-09"

Description: |
  nOps.io integration role for ShareSave accounts (updated September 12, 2022)
  For more information visit https://help.nops.io

Parameters:
  S3CurBucket:
    Description: Format  customername-sharesave
    Type: String
  ReportName:
    Description:  Format  customername-sharesave
    Type: String

Resources:
  CURBucketCreate:
    Type: "AWS::S3::Bucket"
    DeletionPolicy: Retain
    Properties:
      BucketName: !Ref "S3CurBucket"

  CURBucketPolicy:
    Type: "AWS::S3::BucketPolicy"
    DeletionPolicy: Retain
    DependsOn: CURBucketCreate
    Properties:
      Bucket: !Ref "S3CurBucket"
      PolicyDocument:
        Statement:
          - Action:
            - "s3:GetBucketAcl"
            - "s3:GetBucketPolicy"
            Effect: Allow
            Resource: !Join ["", ["arn:",!Ref AWS::Partition,":s3:::",!Ref "S3CurBucket"]]
            Principal:
              Service:
              - billingreports.amazonaws.com
          - Action:
            - "s3:PutObject"
            Effect: Allow
            Resource: !Join ["", ["arn:",!Ref AWS::Partition,":s3:::",!Ref "S3CurBucket","/*"]]
            Principal:
              Service:
              - billingreports.amazonaws.com

  CURCreate:
    Type: "AWS::CUR::ReportDefinition"
    DeletionPolicy: Retain
    DependsOn: CURBucketPolicy
    Properties:
      ReportName: !Ref "ReportName"
      RefreshClosedReports: True
      S3Bucket: !Ref "S3CurBucket"
      S3Prefix: sharesave
      S3Region: us-east-1
      TimeUnit: HOURLY
      ReportVersioning: OVERWRITE_REPORT
      AdditionalArtifacts:
        - REDSHIFT
      Compression: GZIP
      Format: textORcsv

  nOpsShareSaveRole:
    Type: "AWS::IAM::Role"
    DependsOn: CURBucketPolicy
    Properties:
      RoleName: nops-sharesave-payer
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              AWS:
                - arn:aws:iam::727378841472:root
            Action:
              - "sts:AssumeRole"
      Path: /
      Policies:
        - PolicyName: nops-sharesave-policy
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Sid: S3ViewCUR
                Effect: Allow
                Action:
                  - "s3:ListBucket"
                Resource: !Join ["", ["arn:",!Ref AWS::Partition,":s3:::",!Ref "S3CurBucket"]]
              - Sid: S3AccessCUR
                Effect: Allow
                Action:
                  - "s3:GetObject"
                  - "s3:PutObject"
                  - "s3:DeleteObject"
                Resource: !Join ["", ["arn:",!Ref AWS::Partition,":s3:::",!Ref "S3CurBucket","/*"]]
      ManagedPolicyArns:
        - "arn:aws:iam::aws:policy/AWSSupportAccess"

AWS ShareSave Payer IAM Policy


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "s3:ListBucket"
            ],
            "Resource": "arn:aws:s3:::<YOUR BUCKET NAME HERE>",
            "Effect": "Allow",
            "Sid": "S3ViewCUR"
        },
        {
            "Action": [
                "s3:GetObject",
                "s3:PutObject",
                "s3:DeleteObject"
            ],
            "Resource": "arn:aws:s3:::<YOUR BUCKET NAME HERE>/*",
            "Effect": "Allow",
            "Sid": "S3AccessCUR"
        }
    ]
}

Sharesave IAM Role

nOps ShareSave Accounts: IAM Policy nOps uses to Buy/Sell Reservations and Savings Plans


{
    "Version": "2012-10-17",
    "Statement": [
            {
        "Action": [
            "ec2:DescribeReservedInstances",
            "ec2:DescribeReservedInstancesListings",
            "ec2:DescribeReservedInstancesModifications",
            "ec2:DescribeReservedInstancesOfferings",
            "ec2:ModifyReservedInstances",
            "ec2:PurchaseReservedInstancesOffering",
            "ec2:CreateReservedInstancesListing",
            "ec2:CancelReservedInstancesListing",
            "ec2:GetReservedInstancesExchangeQuote",
            "ec2:AcceptReservedInstancesExchangeQuote",
            "rds:DescribeReservedDBInstances",
            "rds:DescribeReservedDBInstancesOfferings",
            "rds:PurchaseReservedDBInstancesOffering",
            "support:*",
            "SavingsPlans:*"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}



Managing Karpenter Configurations With nOps GitOps support
Managing Resources With Karpenter GitOps Support
Configuring ASGs by Tag
Compute Copilot For ASG Support Matrix
Onboarding your Autoscaling Groups to nOps Compute Copilot
Onboarding your Autoscaling Groups to nOps Compute Copilot via Stackset
Compute Copilot for ECS
Onboarding your EKS clusters to Copilot for EKS Cluster Autoscaler
EKS Provisioner Examples
Compute Copilot for EKS - Karpenter Beta Support
Onboarding your EKS clusters to Compute Copilot for EKS Karpenter
Minimum IAM permissions for the nOps platform
IAM permissions for the nOps platform
IAM permissions for Essentials
Onboarding AWS Linked Accounts
Onboarding Multiple AWS Linked Accounts with CloudFormation
Onboarding AWS with Manual Setup-Contact Us
Service Control Policies
Onboarding AWS with Automatic Setup
Onboarding AWS with 1-click CloudFormation
AWS SSO Integration
Azure SSO Integration
SSO Integration
Okta SSO Integration
OneLogin SSO Integration
Configure Commitment Management
Our Approach to Optimizing Commitment Utilization
Compute Copilot Spot Instance Reliability SLA
Back to top       Home
Tags: onboarding iam