In this page, we explain how to add a group to Cloud Automator and register AWS accounts. There are two methods for registering AWS accounts: "Registration using IAM role" and "Linking member accounts via AWS Organizations integration." Cloud Automator will use the registered credential information to operate your AWS resources and automate operations.
Register AWS account using IAM role
Process order
The procedure for AWS account registration using IAM role, using Cloud Automator and AWS management console, is as follows.
- Start AWS account registration process at Cloud Automator
- At AWS management console, create "CloudFormation stack" for "Cloud Automator designated IAM role" in your AWS account.
- Complete creating CloudFormation stack and IAM role shall be created accordingly.
- Back to Cloud Automator and enter created CloudFormation stack information
- Complete AWS account registration at Cloud Automator
Necessary items
In order to register one AWS account to Cloud Automator, the following new resources in your AWS account shall be required.
- One CloudFormation stack
- One IAM role
These items will be created during the following procedure, so you don't have to create them beforehand.
Also, during the following procedure you will access the AWS Management Console. The account you sign in with must have these permissions.
Note:
Please note that the above 2 resources are required for each AWS account on the Cloud Automator side. Existing CloudFormation stacks and IAM roles cannot be re-used.
In other words, only the CloudFormation stack information created through the "Create IAM Role" button can be registered. If you close the window before registration or try to re-use a previously created CloudFormation stack, it cannot be used (you need to create a new CloudFormation stack).
Register AWS account credential information
- Access the AWS Management Console and sign in to your AWS account.
-
When you access the "Add Group" page in Cloud Automator, the "Add Group" method selection screen will be displayed. Select "Register a single AWS or Google Cloud account to the group."
-
The "Group Basic Information" form appears. Enter the "Group Name" and "Group Color," and the "Action Restriction Settings" as needed.
-
Click the "Create IAM Role" button located within "AWS Account" at the bottom of the screen to open the AWS Management Console (it will open in a new browser window or tab).
Please note that if you close the screen or reload it during the following steps, you will need to press the "Create IAM Role" button again to create a new IAM role.
-
The "Quick create stack" page in the AWS Management Console will be displayed. If you are not signed in to the AWS Management Console, the sign-in screen will appear, so please sign in.
Please try not to change the name in the "Stack name" field. While changing it won't affect functionality, it will make it impossible to automatically determine which CloudFormation stack corresponds to which AWS account on the Cloud Automator side. If you do change the "Stack name", please make sure you can identify which AWS account on the Cloud Automator side corresponds to that stack.
Check the checkbox for "I acknowledge that AWS CloudFormation might create IAM resources." at the bottom of the Quick create stack page and press the "Create stack" button.
-
CloudFormation stack creation will begin. Usually, it takes about 2-3 minutes to complete and will show "CREATE_COMPLETE".
-
When CloudFormation stack creation is completed, press the "Outputs" tab. Copy the "Value" displayed for the "CloudAutomatorStackInfo" key.
After you copy the CloudAutomatorStackInfo value, you can close the AWS Management Console.
-
Go back to Cloud Automator and paste the copied value into the "CloudAutomatorStackInfo" field, then enter a name of your choice in the "Account Name" field. Then press the "Register" button.
-
When the access to AWS is successful, the Group Member List screen will be displayed.
With this procedure, the registration of AWS account credentials is completed.
For next step, let's try to add tags to EC2 instances which you want to back up.
(Supplement) Caution when removing AWS account
When you remove an AWS account from Cloud Automator, the CloudFormation stack and IAM role created in your AWS account will not be automatically deleted.
You can verify the corresponding CloudFormation stack name by pressing the "Edit" button for the AWS account you want to remove on the Group edit page.
Based on this name, please delete the CloudFormation stack in the AWS Management Console separately (the IAM role will be automatically deleted when you delete the CloudFormation stack).
(Supplement) Adding AWS accounts
To add AWS accounts to an existing group, please refer to the following manual.
Adding AWS accounts
(Supplement) Permissions required for creating IAM role
When proceeding with IAM role creation according to the steps in this chapter, the AWS account you are signed in with requires the following permissions for creating the IAM role.
- IAM
- CloudFormation
Add a group with linked member accounts using AWS Organizations integration
This section explains how to add a group to Cloud Automator with linked member accounts using AWS Organizations integration. With AWS Organizations integration, IAM roles are automatically deployed to each member account through StackSets created in the management account, eliminating the need to manually create individual CloudFormation stacks.
Difference from IAM role method
With AWS account registration using IAM role, you need to manually create a CloudFormation stack for each AWS account. However, with AWS Organizations integration, you can register multiple member accounts to a group at once. This is convenient for managing large-scale environments or multiple accounts.
Note that this method is only available in environments that use AWS Organizations. If you are not using AWS Organizations, please use the IAM role registration method.
Prerequisites
The following prerequisites must be met before performing this procedure.
- AWS Organizations integration must be configured in your Cloud Automator organization
- For information on how to set up AWS Organizations integration, please refer to this guide
- StackSet deployment via AWS Organizations integration must be complete, and IAM roles must have been created in the member accounts
- The Cloud Automator user performing the operation must have permission to create groups
Process order
Adding a group using AWS Organizations integration is performed through the Cloud Automator interface as follows. No operations in the AWS Management Console are required.
- Access the Add Group page in Cloud Automator
- Select the "AWS Organizations member accounts" method
- Enter group basic information (Group Name, Group Color)
- Select the member accounts to link to the group
- Complete the group addition
Add a group and link member accounts
- Log in to Cloud Automator and access the Group list page from the "Groups" menu in the sidebar. Press the "Add Group" button at the top of the screen.
-
The "Add Group" method selection screen will be displayed. Select "Register AWS Organizations member accounts to the group."
-
The Add Group screen will be displayed. First, enter the following items in the "Group Basic Information" section.
- Group Name (required): Enter the name for the group
- Group Color (required): Select a color to identify the group
- Action Restriction Settings (optional): Configure if there are actions you want to restrict for this group
-
In the "AWS Organizations Member Accounts" section, select the member accounts to link to the group.
The screen consists of two side-by-side lists.
- Left list: A list of member accounts belonging to AWS Organizations
- Right list: Member accounts to be registered to this group
Click a member account from the left list to add it to the right list. Click a member account in the right list to deselect it.
Filtering member accounts
You can filter member accounts by account number, account name, or email address using the search field at the top of the left list.
Additionally, turning on the "Not registered to any group" checkbox will display only member accounts that are not yet registered to any group.
- If multiple AWS Organizations integrations are configured, you can switch between them using the dropdown at the top of the left list. The dropdown displays entries in the format "(Organization ID) Management Account Number: Management Account Name."
- Once you have entered the group basic information and selected the member accounts, press the "Add Group with This Configuration" button at the bottom of the screen.
-
Once the group creation and member account linking are complete, you will be redirected to the Group Member List screen.
The group addition using AWS Organizations integration is now complete.
You can now configure jobs and triggers for the AWS resources of the member accounts added to the group.
(Supplement) Adding member accounts to an existing group
To add member accounts to an existing group, follow these steps.
- Access the Group edit page and press the "Add Organizations Member Accounts" button in the "AWS Accounts" section.
- A modal dialog will appear with the member account selection screen. Select the target member accounts in the same way as during new group creation.
- Select the "EBS Backup Check" setting. If EBS backup checking is required, select "Check."
- Press the "Add Member Accounts" button to add the selected member accounts to the group.
(Supplement) Troubleshooting
Member accounts are not displayed
If accounts are not displayed in the member account list, please check the following.
- The AWS Organizations integration status is normal
- StackSet deployment is complete and IAM roles have been created in each member account
- If the "Not registered to any group" checkbox is on, not all member accounts are already registered to groups
- The filter keyword entered in the search field is appropriate
Group creation fails
If the error "Group creation failed" is displayed, please check the following.
- The group name does not duplicate another group's name
- At least one member account is selected
- The AWS Organizations integration settings are active