Connect your AWS account

To enable Microtica to manage cloud resources you need to connect your AWS account and set up proper access rights. Microtica authenticates with your AWS account by using AWS STS assume role service by generating temporary access tokens. Generated tokens are then used in every subsequent call to your account.

Connect your AWS account in two steps:

  • Create cross-account role
  • Connect AWS account

#Create cross-account role

Using CloudFormation

If you like to quickly establish the access then login in your AWS account and follow this link.

To establish access specifically for Microtica Cost Optimizer then follow this link.

The link will redirect you to the CloudFormation page and ask you for the External ID parameter. Enter some secret value in this field and remember it for later.

Manual setup

To create a cross-account role you need to first login to the AWS console. Follow the steps below to establish access between Microtica and your AWS account.

  • Goto IAM service
  • Choose Create role
  • Choose Another AWS account from the list of trusted entity type
  • For Account ID add 652222714481.
  • For External ID add some secret value and remember it for later. Goto next
  • From the list of policies, select the ones that you intend to use. For example, if you plan on creating a Kubernetes cluster you should enable permissions for EKS and EC2 for Kubernetes nodes. You can also create a custom policy with more narrow permissions.
    To be able to use Microtica ready-to-use Components add the following access policy:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "cloudformation:*",
                "s3:*",
                "ssm:*",
                "ec2:*",
                "elasticloadbalancing:*",
                "logs:*",
                "iam:*",
                "lambda:*",
                "sqs:*",
                "sns:*",
                "autoscaling:*",
                "rds:*",
                "eks:*",
                "acm:*",
                "route53:*",
                "secretsmanager:*",
                "kms:*",
                "sts:*",
                "codebuild:*",
                "ecr:*",
                "dynamodb:*"
            ],
            "Resource": "*"
        }
    ]
}
  • Choose the newly created policy from the list and go to Next
  • Enter the role name of your choice
  • Once the role is created we need to configure the role’s trusted relationships. Choose the newly created role and go to Trust relationships. Before you add the policy defined below, replace <EXTERNAL_ID> with the secret you have chosen while creating the role
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::652222714481:root"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "<EXTERNAL_ID>"
        }
      }
    },
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "lambda.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    },
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "codebuild.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    },
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "cloudformation.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
Least privileges

It’s a best practice to always follow principle of least privileges. Start by giving Microtica least privileges and then expand permissions as you see a need for that.

Cost Optimizer permissions

If you want to use the Cost Optimization feature include the following policy in the cross-account role. This policy gives Microtica access to cost and usage metrics as well as access to start/stop EC2 and RDS instances.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "iam:GetRole",
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "ce:GetCostAndUsage",
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "ce:GetCostForecast",
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "ec2:DescribeTags",
                "ec2:CreateTags",
                "ec2:DescribeInstances",
                "ec2:StartInstances",
                "ec2:StopInstances",
                "rds:ListTagsForResource",
                "rds:StartDBInstance",
                "rds:StartDBCluster",
                "rds:StopDBInstance",
                "rds:StopDBCluster",
                "rds:AddTagsToResource",
                "rds:RemoveTagsFromResource",
                "rds:DescribeDBInstances",
                "rds:DescribeDBClusters",
                "autoscaling:ResumeProcesses",
                "autoscaling:SuspendProcesses",
                "autoscaling:CreateOrUpdateTags",
                "autoscaling:DescribeTags",
                "autoscaling:DescribeAutoScalingGroups"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

#Connect your AWS account

Once the role is properly configured in your AWS account you can attach the account from the Microtica portal and start deploying infrastructure in the Cloud. Go to Settings and choose the AWS Accounts tab.

connect aws account
Microtica connect AWS account form

Now, you are ready to automate and deploy your infrastructure on AWS.

#Revoking access

To completely revoke Microtica access to your AWS account you just need to remove previously created cross-account role. After that, Microtica will no longer have access to your cloud account.