Multi AWS Accounts

WorkSpaces Manager can manage WorkSpaces within different AWS accounts from the same console.

*If you would prefer a member of support to help with the configuration of Multiple Accounts, please contact support@workspacesmanager.com who will remotely assist

Step 1: Which is the main account that the WorkSpaces Manager instance resides

Make a note of the following:
• The account number of Account A (where your WorkSpaces Manager instance resides). For this example, we will refer to it as 111111111111
• The account number of Account B (where your other WorkSpaces reside that you want to manage). For this example, we will refer to it as 222222222222
• The IAM role that is associated with your WorkSpaces Manager in Account A. When deployed via CloudFormation, name can be similar to CF-WSM-WorkSpacesManagerRole-XXXXXXXXXXXX. If it is deployed manually, it may have a different name, per example, WSMRole-XXXXXX.
• The Instance ID of your WorkSpaces Manager. For this example, we will refer to it as i-99999999999999999

1. Create a new IAM policy on master account (Account A or 111111111111), which will give access to the second account (Account B or 222222222222) and call it ‘WSMAllowRemoteAccessPolicy’. The content in JSON format will be:

{
 “Version”: “2012-10-17”,
 “Statement”: [
  {
  “Sid”: “VisualEditor0”,
  “Effect”: “Allow”,
  “Action”: [
  “cloudwatch:DescribeAlarmsForMetric”,
  “cloudwatch:DescribeAlarmHistory”,
  “cloudwatch:DescribeAlarms”,
  “cloudwatch:Describe*”,
  “cloudwatch:GetDashboard”,
  “cloudwatch:GetMetricData”,
  “cloudwatch:GetMetricStatistics”,
  “cloudwatch:GetMetricWidgetImage”,
  “kms:ListKeys”,
  “kms:ListAliases”,
  “kms:DescribeKey”,
  “sts:AssumeRole”,
  “appstream:*”,
  “ce:*”,
  “pricing:*”,
  “workspaces:*”
 ],
 “Resource”: [
 ”*”,
 “arn:aws:iam::222222222222:role/AllowWSMAccess”
  ]
 }
 ]
}

2. On the master account, look for the Role/Instance Profile associated to the WSM EC2 instance and edit it to also include the new IAM Policy just created and called ‘WSMAllowRemoteAccessPolicy’.

Step 2: In Account B (where there are WorkSpaces to be managed by WorkSpaces Manager in another account)

1. Create a new IAM policy on second account (Account B or 222222222222), which will give access to WSM to some services. Call it ‘WSMPortalPolicy’. The content in JSON format will be:

{
 “Version”: “2012-10-17”,
 “Statement”: [
  {
   “Sid”: “VisualEditor0”,
   “Effect”: “Allow”,
   “Action”: [
   “cloudwatch:GetMetricData”,
   “cloudwatch:DescribeAlarmHistory”,
   “cloudwatch:DescribeAlarmsForMetric”,
   “cloudwatch:GetMetricWidgetImage”,
   “cloudwatch:GetDashboard”,
   “cloudwatch:GetMetricStatistics”,
   “cloudwatch:DescribeAlarms”,
   “logs:*”,
   “sts:GetAccessKeyInfo”,
   “sts:GetSessionToken”,
   “sts:GetServiceBearerToken”,
   “sts:GetCallerIdentity”,
   “ce:*”,
   “kms:*”,
   “pricing:*”,
   “workspaces:*”
  ],
  “Resource”: “*”
  },
  {
   “Sid”: “VisualEditor1”,
   “Effect”: “Allow”,
   “Action”: [
    “sts:AssumeRole”, “sts:GetFederationToken”
   ],
   “Resource”: [
    “arn:aws:iam::111111111111:role/CF-WSM-WorkSpacesManagerRole-XXXXXXXXXXXX”,
    “arn:aws:iam::222222222222:role/AllowWSMAccess”
   ]
  }
 ]
}

2. Create a new IAM policy on second account (Account B or 222222222222), which will give access to WSM to assume a role remotely. Call it ‘WSMPortalIAMPolicy’. The content in JSON format will be:

{
 “Version”: “2012-10-17”,
 “Statement”: [
  {
   “Sid”: “VisualEditor0”,
   “Effect”: “Allow”,
   “Action”: [
   “iam:GetRole”,
   “iam:PassRole”,
   “sts:AssumeRole”
  ],
  “Resource”: [
   “arn:aws:iam::111111111111:role/CF-WSM-WorkSpacesManagerRole-XXXXXXXXXXXX”,
   “arn:aws:sts::111111111111:assumed-role/CF-WSM-WorkSpacesManagerRole-XXXXXXXXXXXX/i-99999999999999999”
  ]
 }
 ]
}

3. Create a new IAM policy on second account (Account B or 222222222222), which will give access to WSM to assume a role remotely. Call it ‘WSMPortalS3Policy’. The content in JSON format will be:

{
 “Version”: “2012-10-17”,
 “Statement”: [
  {
   “Sid”: “VisualEditor0”,
   “Effect”: “Allow”,
   “Action”: [
    “s3:GetBucketVersioning”,
    “s3:GetObject”,
    “s3:ListAllMyBuckets”,
    “s3:ListBucket”
   ],
   “Resource”: “*”
   },
  {
   “Sid”: “VisualEditor1”,
   “Effect”: “Allow”,
   “Action”: [
    “sts:AssumeRole”,
    “sts:GetFederationToken”
   ],
   “Resource”: [
    “arn:aws:iam::111111111111:role/CF-WSM-WorkSpacesManagerRole-XXXXXXXXXXXX”,
    “arn:aws:iam::222222222222:role/AllowWSMAccess”
   ]
  }
 ]
}

4. Create an IAM role called ‘AllowWSMAccess’ for AWS Account subservice and attach the policies ‘WSMPortalPolicy’, ‘WSMPortalPolicy’ and ‘WSMPortalS3Policy’ that we created above

{
 “Version”: “2012-10-17”,
 “Statement”: [
  {
   “Sid”: “VisualEditor0”,
   “Effect”: “Allow”,
   “Action”: [
    “iam:GetRole”, “iam:PassRole”, “sts:AssumeRole”
   ],
   “Resource”: [
    “arn:aws:iam::111111111111:role/WSM320-YourWSMRole”,
    “arn:aws:sts::111111111111:assumed-role/WSM320-YourWSMRole/i-99999999999999999”
   ]
  }
 ]
}

5. Go to the ‘AllowWSMAccess’ IAM role, select ‘Trust Relationships’ and then ‘Edit Trust Policy’. Insert this JSON and select ‘Update Policy’.

{
 “Version”: “2008-10-17”,
 “Statement”: [
  {
   “Effect”: “Allow”,
   “Principal”: {
    “AWS”: [
     “arn:aws:iam::111111111111:root”,
     “arn:aws:iam::111111111111:role/CF-WSM-WorkSpacesManagerRole-XXXXXXXXXXXX”,
     “arn:aws:sts::111111111111:assumed-role/CF-WSM-WorkSpacesManagerRole-XXXXXXXXXXXX/i-99999999999999999”
    ],
    “Service”: [ “workspaces.amazonaws.com”, “ec2.amazonaws.com”]
   },
   “Action”: “sts:AssumeRole”
  }
 ]
}

Step 3: Config WorkSpaces Manager in your main account (Account A)

Configure the WorkSpaces Manager Portal to accept the new account. Go to Options > Settings > Additional Options and set ‘Multiple account’ to ‘On’.

In one left hand side pane, you will now see a Multi AWS Account option with your root (Master) WorkSpaces Manager account already filled in.

To add Account B, select the ‘+’. Enter the details for the AWS account.
• AD Integrated – Your WorkSpaces can either be domain joined or non-domain joined. If they are domain joined, select this.
• WorkSpaces – WorkSpaces are viewable and enabled in this account. Select this.
• AWS Cost Optimiser – Select.
• Cost Optimiser Bucket – This is the s3 bucket that represents the Cost Optimiser location on Account B.
• Access Log Group – Leave blank here for now
Leave AppStream option and AppStream Bucket

Your new account will show up as below. Up to 10 accounts can show on one list, and any more will be on the next page where you can select ‘Next’.