Navigation Menu: Customers
Overview
This article explains in detail how to add (or link) an existing AWS account to a customer profile in the platform. Linked accounts may also be referred to as "member" accounts.
You need to obtain the following information from your customer:
- 12-digit AWS Account number (Required)
- The Root email address (Optional)
- AWS Support Type:
- Business Level Support (BLS)
- Developer
- Basic/No Support (Free)
Linking existing AWS accounts requires the Root AWS account owner or a user with IAM Full Administrator access.
Definitions:
Root User: When you first create an Amazon Web Services (AWS) account, you begin with a single sign-in identity that has complete access to all AWS services and resources in the account. This identity is called the AWS account Root User and is accessed by signing in with the email address and password used to create the account. When you create a new account, you are required to set up a payment method. Typically, it is a credit card.
Standalone Account: An AWS standalone account means a single AWS account that is not attached (linked) as a member account under a Management Account.
Member Account: A standard AWS account that is part of the organization. Member accounts are not the management accounts but are part of the consolidated structure. Important: A member account must leave the current organization in order to join the TDS organization. Please open a support ticket if assistance is needed before removing your account from the current organization.
Management Account: Also referred to as the master payer account (MPA), this is where the AWS Organization features for consolidated billing are configured and controlled. The management account holds the payment method for all member (or linked) accounts. The StreamOne Ion Ops team sends linking requests via the AWS Organization feature within our Management Account via the 12-digit AWS account number. AWS sends an alert email to the root account owner. AWS Organizations is an account management service that enables the consolidation of multiple AWS accounts into an organization for central management purposes. Important! We cannot link management accounts in StreamOne Ion without a CTA (Consent to Assign). Please contact your Cloud Sales Rep for more information about CTAs.
The table below represents a list of activities between the cloud platform and the AWS console:
Activity | Responsible Party | Work completed in... |
Add AWS Account Number | Reseller or Customer (if Customer Portal is provisioned) | Platform |
Setup Role ARN (ReadOnlyAccess) | AWS Account Owner | AWS Console |
Add the ARN role to the account profile on the platform. | Reseller or Customer (if Customer Portal is provisioned) | Platform |
Send a linking request. | TD SYNNEX, Cloud Ops Team | AWS Console |
Accept the linking request. | AWS Account Owner | AWS Console |
Configure Support Settings *If applicable, notify the ION Ops team if Business-level Level Support is currently enabled or needed for new account requests | Reseller | Platform |
Configure AWS Pricebook (MSRP or Custom pricing) | Reseller | Platform |
Important!
This article assumes you have read the Discovery Questions for Customers with Existing AWS Accounts to address any possible account link issues prior to adding the account in the platform. To ensure a positive customer experience, do not link AWS accounts prior to reviewing the pre-qualifying questions with your customers.
For accounts under a shared consolidated management account, be sure to read, understand and communicate with your customers, The Explanation of AWS Shared Consolidation and Blended Rates.
When AWS accounts join or new accounts are created, the AWS billing console will no longer be the source of billing information. We strongly encourage our AWS resellers to provide your customers with access to your Customer Portal to view accurate customer pricing. Please read the Knowledge Base article, How Do I Find the End-Customer Portal URL?
Part 1: Add existing AWS account (Reseller's actions)
To add an existing AWS account, follow these steps:
1. Log into the platform and select the Customers menu2. Select the customer from the list (to whom you want to add the AWS account), then click Edit or double-click to load the profile and see menu options
3. Click Cloud Billing
4. Click Cloud Provider - If the AWS Pricebook is listed, go to the next step. If the AWS Pricebook is blank, click ADD to select the Amazon Web Services pricebook. (Amazon Web Services Master Pricebook = MSRP for Customer Cost).
5. Click the drop-down arrow next to Amazon Web Service, then click Amazon Web Services Master Pricebook, then click Edit.
6. Check the box next to Enable Provider in the Customer Portal, then click Save.
- Ignore the "Pass RI optimization to customer". This feature is not available.
5. Click Cloud Accounts
6. Click Add. The Cloud Account dialog box displays. Complete the fields below:
(1) Select Amazon Web Services from the drop-down list
(2) Pick New Account and enter the 12-digit AWS account number (required)
(3) Optional: add the root email address for the AWS account. If you do not know the email address, you can skip this step
(4) Setting should remain as Resale
(5) (optional) This option is used to set custom pricing by cloud account. You can select the default pricebook, pick a custom pricebook, or leave blank (which assumes the default pricebook) The default pricebook is set under the Cloud Provider menu option
(6) Click Save
(7) Once saved, the Create IAM Role window displays. To continue, follow the instructions on the screen. To complete this step at later time, click Later.
Part 2: Create IAM Role (ReadOnlyAccess)
Tip: We recommend you use two browsers to toggle between the AWS Console and the platform. When you complete the setup of the read-only access role in the AWS console, you paste the role ARN name in a specific field in the platform.
The Create IAM Role instruction window displays at the time you add the account. The instructions in this window are completed in the AWS console.
(1) If you have access to the AWS account, please log into AWS console IAM screen to complete the next steps.
(2) If you do not have access, click Later
When you return to add the role (after the account was initially added), you can see the instructions by selecting the account from the list and double-clicking to open the Cloud Account dialog box. Scroll to the bottom to view the options. Click ROLE ARN
Note: Root access is not a requirement for a user to create a read-only role; it depends on the IAM user's access rights.
Specific Items to note in this instruction window are:
(1) The Cross Account ID is standard for all AWS accounts linked in ION
(2) The Externa ID number is unique to each account linked in ION
(3) The platform requires the Role ARN name in this field.
(4) If the role was created correctly, the 'Verified' status will display in green (as shown in the image here).
(5) A description of the role of the ARN is not required
(6) click Save
An AWS read-only access role allows for enhanced reporting features in the platform. Here are the steps to credential the account:
For the full instructions and video tutorial, please read the article: How to Create the Role ARN for AWS Accounts Here's a video tutorial that walks you through the steps: How to Create an AWS Role ARN for Platform Use |
1. Login to the Amazon IAM console
2. Select Roles
3. Click Create Role
4. Click AWS Account
5. Select Another AWS Account
6. Enter the Account ID: 328676173091
7. Under Options, check the box next to Require external ID
Enter the External ID: CA****** (This ID number is unique to each AWS account.)
***DO NOT Toggle on the "Require MFA" feature****
8. Click Next
Click on the image to enlarge.
9. Search for the "ReadOnlyAccess" policy and check the box next to ReadOnlyAccess
Optional: To enable the policy for the Security and Compliance Report, in the policy list, search for AWSSupportAccess and check the box on the left. Business Support is required for this report. For more information, please read the Knowledge Base article: AWS Security and Compliance Report.
10. Enter a Role Name. Example: IONReadOnly (Maximum 128 characters). (Use alphanumeric and '+=,@-_' characters.)
11. Enter a Description. Add a brief explanation for this policy. Example: Cloud Platform Read-Only Access for cost and usage data. maximum of 128 characters. (Use alphanumeric and '+=,.@-_' characters.) A sample of the name and description are illustrated below.
12. Click Create Role
13. Click on the recently created Role Name to access the summary screen.
14. From the summary page, using the icon located on the left of the Role ARN value, copy the ARN name (as illustrated as item 4 in the screenshot below).
15. Back in StreamOne Ion, paste the Role ARN value in the Role ARN dialog box (see below)
16. Click the "Not Checked/Check Now" action function to confirm role validation in the platform. Once the green Verified status appears, click "Save". If a red "No Access" message appears, please recheck the Role ARN value, making sure there is no space in front or behind the value when pasted. If the ARN Value is still not validating, please confirm the ReadOnlyAccess policy was properly created.
This screenshot shows a before and after view of the AWS Role ARN setting.
17. Enter the Role description (optional)
18. Save
Part 3: Acceptance the Link Request (Handshake)
The Operations team receives your link request. The link request is approved, and an email invitation is sent to the Root account owner via the 12-digit account number.
TDS assumes financial responsibility for the account once the Root account owner accepts the linking request. Link requests are valid for two weeks from the date they are sent. If an existing invitation expires without being accepted, a new invitation can be created.
From the Invitation email (sent under the AWS domain), the Root owner can:
(1) click the link to be directed to the AWS login screen; or
(2) Log into their AWS account and click My Account/Organization or click Consolidated billing to view the Invitation.
FYI, the actual email is not needed as the actual invitation is stored within the AWS account itself for 2 weeks.
*If the account owner experiences any issues with accepting the link invite to join the organization, please read: Troubleshooting AWS Link Invitations to a TDS Organization
Click on the image to expand. example of the AWS Link invitation is below:
When AWS accounts join the TD SYNNEX Organization (or management account), the billing data at the linked account level will not match the AWS console. This variance is subjective based on the primary features of Consolidated Billing and Blended Rates. Please read the StreamOne Ion Knowledge Base article: Explanation of AWS Shared Consolidation and Blended Rates. It is highly recommended for partners to give customers access to the Customer Portal.
For more information, please read the Knowledge Base article: How Do I Find the End-Customer Portal URL?
Part 4: Create the Support Plan Group
For all AWS accounts, you will need to set up the Support Plan Group to either Passthrough for Basic and Developer Support or Business Support for accounts with AWS Business Support.
Please Note: Negative margins will appear in the billing reports if this step is skipped. Please read: Create a Support Plan Group. (A video tutorial is included at the end of the article. Watch the video through to the end. (People often rush through the video and miss a step.)
Highly recommended TDS training class: Setting Up and Managing your AWS Business on StreamOne Ion. This training will assist you in understanding how StreamOne Ion handles AWS business complexities, setting up your AWS business, understanding reports, and reconciling billing data. (This is partner-facing training.)
To submit a support request, in StreamOne Ion, click the "?" icon in the upper right menu bar or click the Support button in the menu. Alternatively, you can click Submit a ticket in the Knowledge Base. Fill out all mandatory fields, or read How to Use StreamOne Freshdesk to Submit and View Support Tickets for more information.