Integration Setup

AWS

Pre-requisites

  1. Administrative access to AWS Account

  2. AWS CLI Installed and confirmed

Step 1: Deploy CloudFormation #

Based on how you want to deploy, please select one of the choices.

Onboard accounts in AWS Organization

a. Find your Organization Root ID

aws organizations list-roots

Root IDs are usually "r-a1b2". If you have trouble finding your Organization ID, see AWS documentation here.

b. Run the CloudFormation to deploy

aws cloudformation create-stack \
  --stack-name SimpleStack-Deploy \
  --template-url https://cloudops-deploy-automation.s3.amazonaws.com/AWSOrganizationDeployment.yml \
  --capabilities CAPABILITY_NAMED_IAM \
  --parameters ParameterKey=OrganizationUnitList,ParameterValue=
Onboard Specific OU of AWS Organization

Gather the OU Ids which you would like to onboard. Examples of how to find OUs are documented here.

aws cloudformation create-stack \
  --stack-name SimpleStack-Deploy \
  --template-url https://raw.githubusercontent.com/kaytu-io/deployment-automation/main/aws/AWSOrganizationDeployment.yml \
  --capabilities CAPABILITY_NAMED_IAM \
  --parameters ParameterKey=OrganizationUnitList,ParameterValue=ou-1234,ou-23456,ou-23455
Onboard Explicit list of Specific Accounts

To onboard specific list of Accounts, replace the last line with the exact Account IDs

aws cloudformation create-stack \
  --stack-name SimpleStack-Deploy \
  --template-url https://raw.githubusercontent.com/kaytu-io/deployment-automation/main/aws/AWSOrganizationDeployment.yml \
  --capabilities CAPABILITY_NAMED_IAM \
  --parameters ParameterKey=AccountList,ParameterValue=<ROOT_ORG_ID>
Onboard Individual AWS Accounts

aws cloudformation create-stack --stack-name SimpleStack-Deploy --template-url https://raw.githubusercontent.com/kaytu-io/deployment-automation/main/aws/SingleAccountDeployment.yml

Confirm this step has been completed by validating.

Step 2: Generate IAM Keys

a. Generate Credentials

aws iam create-access-key --user-name SimpleStackIAMUser

Step 3: Gather Required Fields

You will need the following:

  1. IAM User Access Key

  2. IAM User Access Secret

If you customize Role Name, you will need to

Azure

Pre-requisite

  1. Azure CLI

  2. Permission to create Service Account in AzureAD/Entra

  3. Ability to assign permission to SPN on one ore more Azure Subscriptions

Step 1: Login to CLI

The easiest way to create the Service Principal is with the Azure Cloud Shell in the Azure portal which provides a pre-installed, pre-configured Azure CLI 2.0. If you can't use Azure Cloud Shell, install Azure CLI 2.0 in the system of your preference.

az login

Step 2: Create Service Account (SPN)

Create an SPN

az ad sp create-for-rbac --name  \
    --role reader \
    --scopes /providers/Microsoft.Management/managementGroups/

Running this command will provide the following output

{
  "appId": "myServicePrincipalId",
  "displayName": "myServicePrincipalName",
  "password": "myServicePrincipalPassword",
  "tenant": "myOrganizationTenantId"
}

If your account doesn't have permission to create a service principal, az ad sp create-for-rbac returns an error message containing "Insufficient privileges to complete the operation".

Contact your Microsoft Entra admin to create a service principal.

For more information about user settings in Microsoft Entra ID, see Restrict who can create applications.

Step 3: Delegate Read Access

Last updated