Navigation Menu: Customer > Cloud Billing > Cloud Accounts
TIP: For best results, use Google Chrome when working in the platform portals and the AWS Management Console.
Overview
This article explains in detail how to add (or link) an existing AWS account to a customer profile in the platform. Linked accounts may also be referred to as "member" accounts.
You will learn how to...
- Add account(s) in the platform,
- Configure the read-role (Role ARN) credentials (used by the platform for advanced reporting functionality).
You need to obtain the following information from your customer:
- 12-digit AWS Account number (Required)
- (Optional) The Root email address
- AWS Support Type:
- Business Level Support – BLS
- Developer
- Basic/No Support (Free)
Linking existing AWS accounts requires the Root AWS account owner or a user with IAM Full Administrator access.
There are three separate steps to adding an existing AWS account. They include:
- Adding the AWS account information in ION
- Accepting the invitation to link (completed by the AWS account owner or admin) from the AWS account console
- Creating a cross-account read only role to support advanced reporting features in ION, in the AWS account console
Definitions:
Root User: When you first create an Amazon Web Services (AWS) account, you begin with a single sign-in identity that has complete access to all AWS services and resources in the account. This identity is called the AWS account Root User and is accessed by signing in with the email address and password used to create the account. When you create a new account, you are required to set up a payment method. Typically, it is a credit card.
Standalone Account: An AWS standalone account means a single AWS account that is not attached (linked) as a member account under a Management Account.
Management Account: Also referred to as the payer or master account where the AWS Organization features for consolidated billing are configured and controlled. The management account holds the payment method for all member (or linked) accounts. The StreamOne Ion Ops team sends linking requests via the AWS Organization feature within our Management Account via the 12-digit AWS account number. AWS sends an alert email to the Root account owner.
AWS Organization: AWS Organizations is an account management service that enables consolidation of multiple AWS accounts into an organization for central management purposes. AWS Organizations has two available features sets: (1) Consolidated Billing Features, and (2) All Features which include a subset of advanced account management for central service control policies. TD SYNNEX operates our shared payers under the Consolidated billing feature only. Dedicated p
ayers can leverage the 'All Features."
The table below represents a list of activities between the cloud platform and the AWS console:
| Activity | Responsible Party | Work completed in... |
| Add AWS Account (means the account already exists as a standalone account) | Reseller or Customer (if Customer Portal is provisioned) | Platform |
| Setup Role ARN (ReadOnlyAccess) | AWS Account Owner | AWS Console |
| Add ARN role to account profile in platform | Reseller or Customer (if Customer Portal is provisioned) | Platform |
| Send Linking Request | TD SYNNEX - Cloud Ops Team | AWS Console |
| Accept Linking Request | AWS Account Owner | AWS Console |
| Configure Support Settings *If applicable - Notify the ION Ops team if Business Level Support is currently enabled or needed for new account requests | Reseller - (TD SYNNEX Cloud Ops in a Support role) | Platform |
| Configure AWS Pricebook (MSRP or Custom pricing) | Reseller | Platform |
Important!
This article assumes you have read the Discovery Questions for Customers with Existing AWS Accounts to address any possible account link issues prior to adding the account in the platform. To ensure a positive customer experience, do not link AWS accounts prior to reviewing the pre-qualifying questions with your customers.
For accounts under a shared consolidated management account, be sure to read, understand and communicate with your customers, The Explanation of AWS Shared Consolidation and Blended Rates.
When AWS accounts join or a new accounts are created, the AWS billing console will no longer be the source of Truth for billing information. We strongly encourage our AWS resellers to provide your customers with access to your Customer Portal, to view accurate customer pricing. Please read the Knowledge Base article, How Do I Find the End-Customer Portal URL?Part 1 - Add existing AWS account (Reseller's actions)
To add an existing AWS account, follow these steps:
1. Log into the platform and select the Customers menu2. Select the customer from the list (to whom you want to add the AWS account), then click Edit or double-click to load the profile and see menu options
3. Click Cloud Billing
4. Click Cloud Provider - If the AWS Pricebook is listed, go to the next step. If the AWS Pricebook is blank, click ADD to select the AWS Pricebook. Amazon Web Services Master Pricebook = MSRP for Customer Cost.
5. Click Cloud Accounts
6. Click Add. The Cloud Account dialog box displays. Complete the fields below:
(1) Select Amazon Web Services from the drop-down list
(2) Pick New Account and enter the 12-digit AWS account number (required)
(3) Optional - add the root email address for the AWS account. If you do not know the email address, you can skip this step
(4) Setting should remain as Resale
(5) (optional) This option is used to set custom pricing by cloud account. You can select the default pricebook, pick a custom pricebook, or leave blank (which assumes the default pricebook) The default pricebook is set under the Cloud Provider menu option
(6) Click Save
(7) Once saved, the Create IAM Role window displays. To continue, follow the instructions on the screen. To complete this step at later time, click Later.
Part 2 - Create IAM Role (ReadOnlyAccess)
Tip: We recommend you use two browsers to toggle between the AWS Console and the platform. When you complete the setup of the read only access role in the AWS console, you paste the role ARN name in a specific field in the platform.The Create IAM Role instruction window displays at the time you add the account. The instructions in this window are completed in the AWS console.
(1) If you have access to the AWS account, please log into AWS console IAM screen to complete the next steps.
(2) If you do not have access, click Later
When you return to add the role (after the account was initially added), you can see the instructions by selecting the account from the list and double-clicking to open the Cloud Account dialog box. Scroll to the bottom to view the options. Click ROLE ARN
Note: Root access is not a requirement for a user to create a read-only role but depends on the IAM user's access rights.
Specific Items to note in this instruction window:
(1) The Cross Account ID is standard for all AWS accounts linked in ION
(2) The Externa ID number is unique to each account linked in ION
(3) The platform requires the Role ARN name in this field.
(4) If the role was created correctly, the 'Verified' status display in green (as shown in the image here).
(5) A description of the Role ARN is not required
(6) click Save
An AWS read only access role allows for enhanced reporting features in the platform. Here are the steps to credential the account:
For the full instructions and video tutorial, please read the article: How to Create the Role ARN for AWS Accounts Here's a video tutorial that walks you through the steps: How to Create an AWS Role ARN for Platform Use |
1. Login to the Amazon IAM console
2. Select Roles
3. Click Create Role
4. Click AWS Account
5. Select Another AWS Account
6. Enter the Account ID: 328676173091
7. Under Options check the box next to Require external ID
Enter the External ID: CA****** (This ID number is unique to each AWS account)
***DO NOT Toggle on the "Require MFA" feature**** MFA for third-party access is not supported at this time and accounts used for access have MFA enabled.
8. Click Next
Click on the image to enlarge*
9. Search for the "ReadOnlyAccess" policy and check the box next to ReadOnlyAccess
Optional: To enable the policy for the Security and Compliance Report, in the policy list, search for AWSSupportAccess and check the box on the left. Business Support is required for this report. For more information, please read the Knowledge Base article: AWS Security and Compliance Report.
10. Enter a Role Name. Example: IONReadOnly (Maximum 128 characters. Use alphanumeric and '+=,.@-_' characters.)
11. Enter a Description. Add a brief explanation for this policy. Example: Cloud Platform Read Only Access for cost and usage data. (Maximum 128 characters. Use alphanumeric and '+=,.@-_' characters.) A sample of the name and description is illustrated below.
12. Click Create Role
13. Click on the recently created Role Name to access Summary Screen
14. From the summary page, using the icon located on the left of the Role ARN value, copy the ARN name (as illustrated as item 4 in the screenshot below).
15. Back in StreamOne Ion, paste the Role ARN value in the Role ARN dialog box (see below)
16. Click the "Not Checked/Check Now" action function to confirm role validates in the platform. Once the green Verified status appears, click "Save". If a red "No Access" message appears, please recheck the Role ARN value, making sure there is no space in front or behind the value when pasted. If the ARN Value is still not validating, please confirm the ReadOnlyAccess policy was properly created.
This screenshot shows a before and after view of the AWS Role ARN setting.
17. Enter the Role description (optional)
18. Save
Part 3 - Acceptance the Link Request (Handshake)
The Operations team receives your link request. The link request is approved, and an email invitation is sent to the Root account owner via the 12-digit account number.
TDS assumes financial responsibility for the account once the Root account owner accepts the linking request. Link requests are valid for two weeks from the date they are sent. If an existing invitation expires without being accepted, a new invitation can be created.
From the Invitation email (sent under the AWS domain), the Root owner can:
(1) click the link to be directed to the AWS login screen; or
(2) Log into their AWS account and click My Account/Organization or click Consolidated billing to view the Invitation.
Please Note: The actual email is not needed as the actual invitation is stored within the AWS account itself for 2 weeks.
*If the account owner experiences any issues with accepting the link invite to join the organization, please read: Troubleshooting AWS Link Invitations to a TDS Organization
Click on the image to expand. Example of the AWS Link invitation is below:
When AWS accounts joins the TD SYNNEX Organization (or management account), the billing data at the linked account level may not match the AWS console. This is variance is subjective based on the primary features of Consolidated Billing and Blended Rates. Please read the StreamOne Ion Knowledge Base article: Explanation of AWS Shared Consolidation and Blended Rates. It is highly recommended for partners to give the customer access to the Customer Portal.
For more information, please read the Knowledge Base article: How Do I Find the End-Customer Portal URL?Part 4 - Create the Support Plan Group
For all AWS accounts you will need to set up the Support Plan Group to either Passthrough for Basic and Developer Support or Business Support for accounts with AWS Business Support.
Please Note: Negative margins will appear in the billing reports if this step is skipped. Please read: Create a Support Plan Group. (A video tutorial is included at the end of the article. Watch the video through to the end. People often rush through the video and miss a step)