This article describes how to get started with onboarding with AWS.
-
From the Accounts dropdown list, click Add account and then click the AWS icon.
- Choose who you would like to complete the onboarding:
- Automatically (recommended )
- Manually
- Using API
Automatically AWS Onboarding
Using the Automatic flow the script will create the following in your AWS console:
- S3 bucket (named: cur-<Account-ID>)
- Cost and Usage Report
- IAM Role with trust policy to Anodot with Externalid condition.
- SNS notification
1. AWS Details
Enter your AWS Root Account ID, select the account name that will be displayed in Anodot, and click Next.
Note: We will create the bucket that will host the CUR files in us-east-1 region by default.
2. Validate Access
Download the two files (AnodotPayer.yaml + Connect2Anodot.sh).
There are two common options to run the script:
- Using AWS CloudShell ( recommended).
- Preferred workspace such as Terminal.
Automatic onboarding using CloudShell
-
-
In the AWS console navigate to CloudShell.
-
(Optional) Run the command aws sts get-caller-identity to verify the account you want to onboard.
-
Click on Action > Upload file, and upload the file AnodotPayer.yaml you just downloaded.
-
Repeat step #3 for the file Connect2Anodot.sh.
Note: The files should be named as indicated above, avoiding duplicates such as AnodotPayer(1).yaml, AnodotPayer(2).yaml. -
(Optional) Run the command cat AnodotPayer.yaml (verify the file was saved as expected).
-
(Optional) Run the command cat Connect2Anodot.sh (verify the file was saved as expected).
-
Run the command bash ./Connect2Anodot.sh (this will run the script).
-
Go to AWS CloudFormation page. Once the status shows "CREATE_COMPLETE", it indicates the process has finished, allowing you to go back to the Anodot console and proceed by clicking Next.
-
Automatic onboarding general flow
- Prepare the AWS profile for your management account in AWS. If you do not have it, you can run the following command to see it: cat ~/.aws/config
- To verify that this is the account you want to onboard, run the following commands:
- export AWS_PROFILE=<profile-name>
- aws sts get-caller-identity
- Run the script by running the command: bash ./Connect2Anodot.sh
- Go to the Anodot platform, and click Next.
3. Validate Account
In this step, Anodot validates all your AWS details. This step can take up to 1 hour.
We will inform you once the validation is done so that you will be able to connect your linked account.
Note: In case you do not want to connect your linked accounts you can ignore the email and we will notify you again after the entire process is done and you can see data in your account.
4. (Optional) Linked Account Status
Connect your linked accounts to Anodot to see recommendations.
For guidance on how to connect your linked accounts click here.
In case you would like to connect all your linked accounts at once using CloudFormation click here.
5. Process Data
This step can take up to 48 hours (depending on when we will receive your files from AWS).
We will notify you by email once it is done and you can see data in your account.
Manually Onboarding with AWS
1. Create a CUR file
2. AWS Details
- Enter the account ID, bucket name, and bucket region from the previous step.
Enter the Display Account Name shown in Anodot and click Next.
3. Grant Access
Grant access to Anodot using AWS CLI or manual flow.
AWS CLI:
- Step A- Download all the JSON files from step.
- Step B- Navigate to the AWS portal, open the AWS CLI, and copy and run the commands.
- Step C- Copy the Role ARN from the CLI and paste it in step C in Anodot. Then, click on Next.
Manual flow:
Download all the JSON files from step A (as shown in the screenshot above). Then, create in the AWS console Policy, Role, and Event Notification.
Create Policy:
- Navigate to the AWS portal IAM > Policies page, and click Create policy.
- Switch to the JSON editor, delete the template policy, and paste the text from the PileusPolicy.json file you downloaded. Then click Next.
- Set the policy name to PileusPolicy, and click Create policy.
Create Role
-
- Navigate to the AWS portal IAM > Roles page, and click Create role.
- Select the Another AWS account option, enter Anodot account ID (932213950603), and click Next.
- In the search bar, select PileusPolicy (created in the previous step), and click Next.
- Set the policy name to PileusRole.
- In the Trust policy section, click Edit and paste the text from the file PileusRole.json you downloaded, then click Create role.
- Navigate to the AWS Roles page, search for PileusRole, and click on it.
- Copy the ARN value from the top of the page, and paste it into Anodot.
Create Event Notification
- In AWS, navigate to the dedicated S3 bucket you created and click Properties.
- Scroll down and click Create Events Notifications.
- Enter an Event name and ensure the All object create events checkbox is selected.
- In the Destination section, select the SNS Topic option and Enter SNS topic ARN.
Then, under the SNS topic paste the TopicArn value from the NewInvoiceTopicConfiguration.json file that you downloaded from Anodot at the beginning of this step. Then, click Save Changes.
4. Validate Access
Download the file from step A and paste it into the dedicated bucket you created from Anodot. Then click Next.
This will allow Anodot access to download the files from this bucket.
3. Validate Account
In this step, Anodot validates all your AWS details. This step can take up to 1 hour.
We will inform you once the validation is done so that you will be able to connect your linked account.
Note: In case you do not want to connect your linked accounts you can ignore the email and we will notify you again after the entire process is done and you can see data in your account.
4. (Optional) Linked Account Status
Connect your linked accounts to Anodot to see recommendations.
For guidance on how to connect your linked accounts click here.
5. Process Data
This step can take up to 48 hours (depending on when we will receive your files from AWS).
We will notify you by email once it is done and you can see data in your account.
Using API
1. Follow our API documentation:
https://cost-docs.anodot.com/#onboard-aws-account
2. Run the script in AWS CloudShell:
In the response of the API, you will receive two files to run in AWS CloudShell. Click here to see how to run those files in AWS CloudShell.
3. Validate Account
In this step, Anodot validates all your AWS details. This step can take up to 1 hour.
We will inform you once the validation is done so that you will be able to connect your linked account.
Note: In case you do not want to connect your linked accounts you can ignore the email and we will notify you again after the entire process is done and you can see data in your account.
You can see the status of the onboarding under Accounts > Cloud Accounts page.
For Anodot to be able to create recommendations for you, you will need to connect all the linked accounts to the platform. You can find instructions on how to connect them manually here, or by using CloudFormation.