Introduction
The Cloudsaver Connection Wizard’s CLI connector for AWS automates deployment of the Cloudsaver StackSet containing IAM cross-account roles and permission policies.
The connector uses an interactive bash or PowerShell script to rapidly deploy CloudFormation StackSets from your management account, first to the management account itself and then to any chosen member accounts.
To do this we’ll need to ensure two prerequisites are in place.
First, CloudFormation StackSets must be configured to operate with self-managed permissions from the management account and in the target member account.
Second, our local CLI must be configured with a profile that has credentials to access our AWS Organization’s management account.
To ensure StackSets can operate in self-managed permissions mode, we’ll need an adminstrative role the CloudFormation service can assume within our management account and an execution role the service can assume in each target member account.
Additional details on StackSets self-managed permissions, as well as guidance for setup, can be found within the AWS documentation.
To use the AWS CLI locally, we’ll need to first install the CLI for our operating system. . .
. . . then configure our CLI profile or access.
Additional details and setup guidance can be found within the AWS documentation.
For this tutorial, we’ll be in bash, using the AWS CLI installed on Windows Subsystem for Linux.
To verify our local profile credentials are configured for the management account, we’ll run two short commands. Even though we’re using bash, the commands for the AWS CLI itself are the same on any shell.
Getting Started
First, run a command for “organizations” with a “describe organization” sub-command. Then, run a command for “sts” with a “get caller identity” sub-command.
The results of “describe organization” identifies our Organization’s management account with the “MasterAccountID”. Here we see an account number ending in “1411”.
The results of “get caller identity” shows the account our CLI profile is currently configured to access. We ensure that matches our Organization management — or master account — ID which ends in “1411”.
Now that we’ve verified our pre-requisites, we’ll log into the Cloudsaver platform and begin the connection.
Open the Cloudsaver platform Connection Wizard with “”Get started”” from the Dashboard.
Choose “Connect AWS Account”.
We verified our credentials and management account already, so we’ll click “Next” on the first screen.
From our Connection Method screen, we’ll click “Select CLI”.
On the third screen, we see tabs for Windows or Linux operating systems, using PowerShell or bash respectively. Since we’re using Windows Subsystem for Linux, we’ll click “Linux” and copy the command.
The command includes a temporary authentication token and allows you to download a unique script which securely links the Cloudsaver platform and your AWS accounts.
Back in bash, we’ll paste and execute the command.
The Cloudsaver banner appears and the script first detects AWS accounts for which we have a profile configured.
The script has detected our management account, we’ll enter “Y” to connect it and wait for the process to execute.
After each successful deployment, a connection notification is sent to the Cloudsaver platform to update our connected accounts.
After connecting to our management accound, the script is now asking us which member accounts to connect. We have two member accounts.
Entering “1” lets us connect all accounts.
“2” would let us individually select accounts from a list.
And entering “3” lets us choose specific accounts by entering their 10-digit IDs.
We’ll choose “1” and connect both of our member accounts.
After connecting our member accounts, we’ve returned to an account selection option. Here we could select additional management accounts if we had them, but we’ve already connected our management account ending in “1411”. We’ll press enter to exit and go back to the Cloudsaver platform.
We can see the Connection Successful indicator update to successful.
In this article