Edit me

Prerequisites

To take advantage of all nOps Commitment Management Program, you must be subscribed to the nOps AWS Marketplace offering. If you have previously subscribed, please see the instructions on configuring Commitment Management to learn how the policies are created.

Policies and Permissions

  1. Within your AWS Payer/Management account, nOps will create a new hourly Cost/Usage Report(CUR), S3 bucket for the CUR and nOps ShareSave Payer cross-account role/policy :
    1. Trusted Entity Type: AWS Account
    2. Trusted Entity: nOps
    3. Role name: nops-sharesave-payer
    4. IAM Policy for the Role: IAM Policy
    5. Automated Creation: YAML File
  2. Within the CM linked account used by nOps to buy/sell Reserved Instances and buy Compute Savings Plans.
    1. Trusted Entity Type: AWS Account_Trusted
    2. Entity: nOps
    3. Role name: nops-sharesave-ri
    4. IAM Policy for the Role: IAM Policy
    5. Automated Creation: NA – preloaded

Commitment Management YAML file

AWSTemplateFormatVersion: "2010-09-09"

Description: |
  nOps.io integration role for ShareSave accounts (updated September 12, 2022)
  For more information visit https://help.nops.io

Parameters:
  S3CurBucket:
    Description: Format  customername-sharesave
    Type: String
  ReportName:
    Description:  Format  customername-sharesave
    Type: String

Resources:
  CURBucketCreate:
    Type: "AWS::S3::Bucket"
    DeletionPolicy: Retain
    Properties:
      BucketName: !Ref "S3CurBucket"

  CURBucketPolicy:
    Type: "AWS::S3::BucketPolicy"
    DeletionPolicy: Retain
    DependsOn: CURBucketCreate
    Properties:
      Bucket: !Ref "S3CurBucket"
      PolicyDocument:
        Statement:
          - Action:
            - "s3:GetBucketAcl"
            - "s3:GetBucketPolicy"
            Effect: Allow
            Resource: !Join ["", ["arn:",!Ref AWS::Partition,":s3:::",!Ref "S3CurBucket"]]
            Principal:
              Service:
              - billingreports.amazonaws.com
          - Action:
            - "s3:PutObject"
            Effect: Allow
            Resource: !Join ["", ["arn:",!Ref AWS::Partition,":s3:::",!Ref "S3CurBucket","/*"]]
            Principal:
              Service:
              - billingreports.amazonaws.com

  CURCreate:
    Type: "AWS::CUR::ReportDefinition"
    DeletionPolicy: Retain
    DependsOn: CURBucketPolicy
    Properties:
      ReportName: !Ref "ReportName"
      RefreshClosedReports: True
      S3Bucket: !Ref "S3CurBucket"
      S3Prefix: sharesave
      S3Region: us-east-1
      TimeUnit: HOURLY
      ReportVersioning: OVERWRITE_REPORT
      AdditionalArtifacts:
        - REDSHIFT
      Compression: GZIP
      Format: textORcsv

  nOpsShareSaveRole:
    Type: "AWS::IAM::Role"
    DependsOn: CURBucketPolicy
    Properties:
      RoleName: nops-sharesave-payer
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              AWS:
                - arn:aws:iam::727378841472:root
            Action:
              - "sts:AssumeRole"
      Path: /
      Policies:
        - PolicyName: nops-sharesave-policy
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Sid: S3ViewCUR
                Effect: Allow
                Action:
                  - "s3:ListBucket"
                Resource: !Join ["", ["arn:",!Ref AWS::Partition,":s3:::",!Ref "S3CurBucket"]]
              - Sid: S3AccessCUR
                Effect: Allow
                Action:
                  - "s3:GetObject"
                  - "s3:PutObject"
                  - "s3:DeleteObject"
                Resource: !Join ["", ["arn:",!Ref AWS::Partition,":s3:::",!Ref "S3CurBucket","/*"]]
      ManagedPolicyArns:
        - "arn:aws:iam::aws:policy/AWSSupportAccess"

Commitment Managment IAM Roles

CM AWS Payer IAM Policy


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "s3:ListBucket"
            ],
            "Resource": "arn:aws:s3:::<YOUR BUCKET NAME HERE>",
            "Effect": "Allow",
            "Sid": "S3ViewCUR"
        },
        {
            "Action": [
                "s3:GetObject",
                "s3:PutObject",
                "s3:DeleteObject"
            ],
            "Resource": "arn:aws:s3:::<YOUR BUCKET NAME HERE>/*",
            "Effect": "Allow",
            "Sid": "S3AccessCUR"
        }
    ]
}

CM Linked Account IAM Policy


{
    "Version": "2012-10-17",
    "Statement": [
            {
        "Action": [
            "ec2:DescribeReservedInstances",
            "ec2:DescribeReservedInstancesListings",
            "ec2:DescribeReservedInstancesModifications",
            "ec2:DescribeReservedInstancesOfferings",
            "ec2:ModifyReservedInstances",
            "ec2:PurchaseReservedInstancesOffering",
            "ec2:CreateReservedInstancesListing",
            "ec2:CancelReservedInstancesListing",
            "ec2:GetReservedInstancesExchangeQuote",
            "ec2:AcceptReservedInstancesExchangeQuote",
            "rds:DescribeReservedDBInstances",
            "rds:DescribeReservedDBInstancesOfferings",
            "rds:PurchaseReservedDBInstancesOffering",
            "support:*",
            "SavingsPlans:*"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}



Managing Karpenter Configurations With nOps IaC support
Managing Resources With Karpenter GitOps Support
Configuring ASGs by Tag
nOps Copilot-Managed ASGs
Compute Copilot For ASG Support Matrix
Onboarding your Autoscaling Groups to nOps Compute Copilot
Onboarding your Autoscaling Groups to nOps Compute Copilot via Stackset
Compute Copilot for ECS
Onboarding your EKS clusters to Copilot for EKS Cluster Autoscaler
EKS Insights Dashboard
Compute Copilot for EKS - Karpenter Beta Support
Onboarding your EKS clusters to Compute Copilot for EKS Karpenter
Minimum IAM permissions for the nOps platform
IAM permissions for the nOps platform
IAM permissions for Essentials
Offboarding from the nOps platform
Onboarding AWS Accounts to nOps with Terraform
Onboarding Multiple AWS Linked Accounts with CloudFormation
Service Control Policies
Onboarding AWS with Automatic Setup
Onboarding AWS with 1-click CloudFormation
AWS SSO Integration
Azure SSO Integration
SSO Integration
Okta SSO Integration
OneLogin SSO Integration
Configure Commitment Management
Optimizing Commitment Utilization
Compute Copilot Spot Instance Reliability SLA
Back to top       Home
Tags: onboarding iam