Please note this article applies only to BYO AWS clouds, and not AWS from Telstra. |
You need to follow the steps documented below if you would like Cloud Sight to access BYO AWS accounts (clouds you've purchased from a provider other than Telstra).
Pre-requisites
You need to have a Telstra Cloud Sight provider role deployed to your AWS account. You may have already followed instructions to deploy it by running a CloudFormation script.
Giving Cloud Sight permission to access your AWS cloud
1. Log into your AWS console and navigate to 'IAM'. You can type 'IAM' into the search bar to find this.
2. Within the IAM page, select 'Roles'
3. Click on the 'TelstraCloudSightProviderRole'
4. Under the ‘Permissions’ tab, expand the 'TelstraCloudSightPolicy' or 'TelstraCloudSightBaselinePermissions' policy, and click on the Edit Policy button
5. Switch to the JSON view of the policy by clicking on the 'JSON' tab
6. Add your AWS account ID to the <<YOUR_AWS_ACCOUNT_ID>> placeholder in the code below, then copy the entire code block and use it to replace the contents within the JSON tab:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"iam:SimulatePrincipalPolicy",
"iam:SimulateCustomPolicy",
"ec2:DescribeVpcs",
"iam:ListRoles",
"iam:GetContextKeysForPrincipalPolicy",
"iam:ListAttachedRolePolicies"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "AllowIAMPolicyCheck"
},
{
"Action": "iam:GetRole",
"Resource": "arn:aws:iam::<<YOUR_AWS_ACCOUNT_ID>>:role/TelstraCloudSightProviderRole",
"Effect": "Allow",
"Sid": "AllowGetRoleTags"
},
{
"Action": [
"s3:GetObjectAcl",
"s3:GetObject"
],
"Resource": "arn:aws:s3:::082208012172-cfn-resources/*",
"Effect": "Allow",
"Sid": "AllowReadAccessToCFNTemplates"
}
]
}
7. Click on the Review Policy button at the bottom of the screen.
8. Click on the Save Changes button