WorkSpaces Manager can manage WorkSpaces within different AWS accounts from the same console.
Step 1: Which is the main account that the WorkSpaces Manager instance resides
Make a note of the following:
• The account number of Account A (where your WorkSpaces Manager instance resides). For this example, we will refer to it as 111111111111
• The account number of Account B (where your other WorkSpaces reside that you want to manage). For this example, we will refer to it as 222222222222
• The IAM role that is associated with your WorkSpaces Manager in Account A. For this example, we will refer to it as WSM320-YourWSMRole (if deployed via CloudFormation, name can be similar to CF-WSM-WorkSpacesManagerRole-1XXXXXXXXXXXX)
• The Instance ID of your WorkSpaces Manager. For this example, we will refer to it as i-99999999999999999
1. Insert an inline policy which gives access to the second account with the WorkSpaces in. Call the inline policy ‘WSMAllowAccountBAccess’. We will call the role in Account B ‘AllowWSMAccess’ and will be creating it in the next section:
{
“Version”: “2012-10-17”,
“Statement”: [
{
“Sid”: “VisualEditor0”,
“Effect”: “Allow”,
“Action”: “sts:AssumeRole”,
“Resource”: “arn:aws:iam::222222222222:role/AllowWSMAccess”
}
]
}
2. Insert an inline policy which gives access to the second account with the WorkSpaces in. Call the inline policy ‘WorkSpacesManagerCloudwatchPolicy’. Insert this JSON.
{
“Version”: “2012-10-17”,
“Statement”: [
{
“Sid”: “VisualEditor0”,
“Effect”: “Allow”,
“Action”: [
“cloudwatch:DescribeAlarmHistory”,
“cloudwatch:GetDashboard”,
“cloudwatch:GetMetricData”,
“cloudwatch:DescribeAlarmsForMetric”,
“cloudwatch:DescribeAlarms”,
“workspaces:*”,
“cloudwatch:GetMetricStatistics”,
“cloudwatch:GetMetricWidgetImage”,
“ce:*”
],
“Resource”: [
”*”,
“arn:aws:iam::222222222222:role/AllowWSMAccess”
]
}
]
}
3. Insert an inline policy which gives access to the second account with the WorkSpaces in. Call the inline policy ‘WorkSpacesManagerPricingPolicy’. Insert this JSON.
{
“Version”: “2012-10-17”,
“Statement”: [
{
“Sid”: “VisualEditor0”,
“Effect”: “Allow”,
“Action”: “pricing:*”,
“Resource”: [
“*”,
“arn:aws:iam::222222222222:role/AllowWSMAccess”
]
}
]
}
4. Insert an inline policy which gives access to the second account with the WorkSpaces in. Call the inline policy ‘WorkSpacesManagerCostExplorerPolicy’. Insert this JSON.
{
“Version”: “2012-10-17”,
“Statement”: [
{
“Sid”: “VisualEditor0”,
“Effect”: “Allow”,
“Action”: “ce:*”,
“Resource”: [
”*”,
“arn:aws:iam::222222222222:role/AllowWSMAccess”
]
}
]
}
7.2 Step 2: In Account B (where the WorkSpaces are that you need to administer with WorkSpaces Manager).
1. In IAM, create a policy called ‘WorkSpacesManagerAdminPortal’ with the following JSON.
{
“Version”: “2012-10-17”,
“Statement”: [
{
“Sid”: “VisualEditor0”,
“Effect”: “Allow”,
“Action”: [
“cloudwatch:GetMetricData”,
“cloudwatch:DescribeAlarmHistory”,
“cloudwatch:DescribeAlarmsForMetric”,
“cloudwatch:GetMetricWidgetImage”,
“cloudwatch:GetDashboard”,
“cloudwatch:GetMetricStatistics”,
“cloudwatch:DescribeAlarms”,
“logs:*”,
“sts:GetAccessKeyInfo”,
“sts:GetSessionToken”,
“sts:GetServiceBearerToken”,
“sts:GetCallerIdentity”,
“workspaces:*”
],
“Resource”: “*”
},
{
“Sid”: “VisualEditor1”,
“Effect”: “Allow”,
“Action”: [
“sts:AssumeRole”, “sts:GetFederationToken”
],
“Resource”: [
“arn:aws:iam::111111111111:role/WSM320-YourWSMRole”,
“arn:aws:iam::222222222222:role/AllowWSMAccess”
]
}
]
}
2. Create a role called ‘AllowWSMAccess’ and attach the policy ‘WorkSpacesManagerAdminPortal’ that you created above.
3. Attach an inline policy to the role ‘AllowWSMAccess’ role and call it ‘WSMIAMPassPolicy’. Insert this JSON.
{
“Version”: “2012-10-17”,
“Statement”: [
{
“Sid”: “VisualEditor0”,
“Effect”: “Allow”,
“Action”: [
“iam:GetRole”, “iam:PassRole”, “sts:AssumeRole”
],
“Resource”: [
“arn:aws:iam::111111111111:role/WSM320-YourWSMRole”,
“arn:aws:sts::111111111111:assumed-role/WSM320-YourWSMRole/i-99999999999999999”
]
}
]
}
4. Go to the ‘AllowWSMAccess’, select ‘Trust Relationships’ and then ‘Edit Trust Relationships’. Insert this JSON and select ‘Update Trust Policy’.
{
“Version”: “2008-10-17”,
“Statement”: [
{
“Effect”: “Allow”,
“Principal”: {
“AWS”: [
“arn:aws:iam::111111111111:root”,
“arn:aws:iam::111111111111:role/WSM320-YourWSMRole”,
“arn:aws:sts::111111111111:assumed-role/WSM320-YourWSMRole/i-99999999999999999”
],
“Service”: [ “workspaces.amazonaws.com”, “ec2.amazonaws.com”
  ;]
},
“Action”: “sts:AssumeRole”
}
]
}
5. Create a policy called ‘WSMS3Access’ with the content below and attach it to the ‘AllowWSMAccess’ role. Insert this JSON.
Replace ‘workspacescostoptimizer-costoptimizerbucket-1234567890123’ with the S3 bucket name of your WorkSpaces Cost Optimiser in Account B.
{
“Version”: “2012-10-17”,
“Statement”: [
{
“Sid”: “VisualEditor0”,
“Effect”: “Allow”,
“Action”: [
“s3:GetObject”,
“s3:ListBucket”,
“s3:GetBucketVersioning”
],
“Resource”: [
“arn:aws:s3:::workspacescostoptimizer-costoptimizerbucket-1234567890123”,
“arn:aws:s3:::/”
]
},
{
“Sid”: “VisualEditor1”,
“Effect”: “Allow”,
“Action”: [
“s3:GetObject”,
“s3:ListBucket”,
“s3:GetBucketVersioning”
],
“Resource”: “arn:aws:s3:::/”
},
{
“Sid”: “VisualEditor2”,
“Effect”: “Allow”,
“Action”: [
“s3:ListAllMyBuckets”, “s3:HeadBucket”
],
“Resource”: “*”
},
{
“Sid”: “VisualEditor3”,
“Effect”: “Allow”,
“Action”: [
“sts:AssumeRole”,
“sts:GetFederationToken”
],
“Resource”: [
“arn:aws:iam::111111111111:role/WSM320-YourWSMRole”,
“arn:aws:iam::222222222222:role/AllowWSMAccess”
]
}
]
}
7.3 Step 3: Config WorkSpaces Manager in your main account (Account A)
Configure the WorkSpaces Manager Portal to accept the new account. Go to Options > Settings > Additional Options and set ‘Multiple account’ to ‘On’.
In one left hand side pane, you will now see a Multi AWS Account option with your root (Master) WorkSpaces Manager account already filled in.
To add Account B, select the ‘+’. Enter the details for the AWS account.
• AD Integrated – Your WorkSpaces can either be domain joined or non-domain joined. If they are domain joined, select this.
• WorkSpaces – WorkSpaces are viewable and enabled in this account. Select this.
• AWS Cost Optimiser – Select.
• Cost Optimiser Bucket – This is the s3 bucket that represents the Cost Optimiser location on Account B.
• Access Log Group – Leave blank here for now
Leave AppStream option and AppStream Bucket
Your new account will show up as below. Up to 10 accounts can show on one list, and any more will be on the next page where you can select ‘Next’.
Post your comment on this topic.