IMPORTANT: This is a technical procedure and should be executed by a person with an advanced understanding of AWS, CloudFormation, and IAM policies and roles.
Introduction
As new features and functionality are introduced in PyraCloud, there is the occasional need to update the permissions that PyraCloud has to access your AWS account.
PyraCloud is “secure by default” and uses a very restrictive set of permissions. As a result, when a new feature or functionality is added to PyraCloud, it is likely that the permissions required have not already been granted.
Follow these steps to update your AWS Account permissions so that PyraCloud can function correctly.
NOTE: This only applies to AWS Accounts that were added to PyraCloud via the “Add Cloud Account” functionality in Cloud Tenant Setup.
Update PyraCloud Permissions
Sign in to the AWS Console
Navigate to https://aws.amazon.com/console/ and sign in to the AWS Console as a user with permission to modify IAM resources.
Navigate to CloudFormation
In the AWS console, click the Services menu item to open the list of services. Under Management and Governance group click the CloudFormation item.
Locate the PyraCloud Stack
Once in the CloudFormation console, select the correct region by clicking the region selection at the top right side of the screen. You may need to cycle through the region until you find the PyraCloud stack (typically named, PyraCloud-Onboarding).
Click the radio button next to the stack.
Click Update at the top right of the Stacks list.
Update the Stack
On the Update Stack screen, select “Replace Current Template”. In the Specify template section, select Amazon S3 URL and paste the following link into the Amazon S3 URL textbox: https://iepapp0168sda.s3-eu-west-1.amazonaws.com/pyracloud_onboarding.json.
Click Next.
On the Specify stack details screen, in the Parameters section, leave the ExternalId, PyraCloudProcessId, and PyraCloudTenantId fields as they are.
Click Next.
On the Configure stack options screen, leave all values as they are.
Click Next.
On the Review PyraCloud-Onboarding screen, review the changes that will be made to the stack. In the Capabilities section, check the ‘I acknowledge that AWS CloudFormation might create IAM resources with custom names’ box.
Click Update Stack.
On the PyraCloud-Onboarding screen, refresh the screen until the stack moves from UPDATE_IN_PROGRESS status to UPDATE_COMPLETE.
Update Complete
The update process is complete. You may need to wait up to 24 hours for your AWS Account to become healthy in PyraCloud.
Permissions Change Log
At any time, you can view the contents of the CloudFormation script including the permissions required by PyraCloud by clicking here.
The following changes have been made to the CloudFormation script:
October 29th, 2019
Re-onboard AWS Recommendations
You’ll need the below permissions in order to view AWS Recommendations from AWS Trusted Advisor within PyraCloud.
- support:*
- trustedadvisor:Describe*
Please follow the steps here to re-onboard your AWS account with the permissions described above.
Update read and write-back permissions for AWS resources
- If you are unable to read resources (i.e. missing read permissions for AWS resources), then please follow the instructions as mentioned here.
- If you are unable to tag resources (i.e. missing write-back permissions for AWS resources), then please follow the instructions as below:
- Navigate to IAM within the AWS portal as below
- Locate PyraCloudRole
- Navigate to details of that role and ensure that ReadWritePolicy is attached
- If role not attached, Click on Attach policies
- Type “PyraCloudReadWrite” policy in search box. Select checkbox and click Attach policy
Ideally, the role should now be attached, and write-back permissions should have been added. To confirm, please check the Resources module of PyraCloud by syncing the relevant AWS accounts.
September 2nd, 2019
Added the following permissions to support synchronizing tags to and from more resource types:
- elasticloadbalancing:DescribeLoadBalancers
- lightsail:GetInstances
- lightsail:GetStaticIps
- lightsail:GetInstanceSnapshots
- s3:GetBucketLocation
- cloudtrail:DescribeTrails
- ce:GetRightsizingRecommendation
- ce:GetReservationPurchaseRecommendation