LogoLogo
  • WorkSpaces Manager Administration Guide for Version 6
  • Introduction
  • USER Section
    • User Dashboard
    • Change Password
  • ADMIN Section
    • Admin Dashboard
    • User Preferences
    • WorkSpaces Personal
    • WorkSpaces User Tab
    • Metrics
    • WorkSpaces Pools
    • Secure Browser
    • Users
    • Task Queue
    • Update
    • Reports
  • CONFIGURATION Section
    • Settings
      • Licensing
      • Enterprise Settings
      • Active Directory (Single or Multiple Domains)
      • WorkSpaces (Personal)
      • WorkSpaces (Secure Browser)
      • WorkSpaces (Pools)
      • Amazon Web Services
      • Remote Service Account
      • Email
      • Auto Change Compute Type
    • Schedule Rebuild
    • Schedule Start
    • Fixed Tags
    • AP Profiles
    • Custom Password Module
    • Branding
  • RESOURCES Section
    • Bundles
    • Directories
    • Regions
    • Images
    • Email Templates
  • SECURITY Section
    • Portal Users
    • Roles
  • SUPPORT Section
  • Appendices
    • Cost Optimizer Verification
    • How do I create a WorkSpace for a user?
    • Adding a single new user and creating them a WorkSpace
    • Copy an existing user and creating them a WorkSpace
    • Creating a WorkSpace from a user already in Active Directory
    • Auto-Provision by AD Group
    • Auto-Provision by Entra Group
    • Adding Another Domain
    • Multi AWS Accounts
      • Testing Multi-Accounts
      • KMS Multi-Accounts
Powered by GitBook
On this page
Export as PDF
  1. Appendices
  2. Multi AWS Accounts

Testing Multi-Accounts

PreviousMulti AWS AccountsNextKMS Multi-Accounts

Last updated 4 months ago

In order to verify that WorkSpaces Manager can has access to multiple account’s resources, we will need to use the AWS CLI.

First, proceed to install AWS CLI v2 on the WorkSpaces Manager server. Process is fully defined here (). For Windows, from a Powershell session with admin rights, run:

msiexec.exe /i https://awscli.amazonaws.com/AWSCLIV2.msi

This will take 2-3 minutes to complete following the assistant:

To confirm the installation, from a new command-prompt or Powershell session, run command: aws ‑‑version

Since WorkSpaces Manager has an EC2 role assigned that grants some permissions on it, from a new Powershell Window, we will run the command: aws s3 ls

For this to be tested on multi-accounts, we need to modify the .aws/credentials file on our profile by running command: aws configure

A menu will ask for some details: AWS Access Key ID: keep blank AWS Secret Access Key: keep blank Default region name: use yours (in our case eu-central-1) Default output format: json (recommendation)

This will create a new directory called .aws that can be seen with the commands: ls cd .aws ls

We will edit the file by typing the command: notepad credentials Which will open the text editor for us to put the following: [default] region = eu-central-1 output = json

[remote] role_arn = arn:aws:iam::222222222222:role/AllowWSMAccess credential_source = Ec2InstanceMetadata

Please, note that the role ARN used is an example and it has to be changed for the real role in the secondary account to be assumed

Verify role with command: aws sts get-caller-identity

Finally, check the permissions on the local account by running command: aws s3 ls

And remotely: aws s3 ls ‑‑profile remote

If you receive a message that role could not be assumed, you need to verify the steps to assure that all is properly configured.

It is important to make sure that you also have visibility of Directories and networks on the remote account. Verify it by running the command: aws workspaces describe-workspace-directories --query "Directories[*].Alias" --profile remote

Some other useful commands that can be helpful to verify that connection to remote AWS Accounts assuming roles are:

  • List WorkSpaces in a table format (please, use the right region):

aws workspaces describe-workspaces --region eu-central-1 --query "Workspaces[*].[WorkspaceId, UserName]" --profile remote --output table

  • List KMS keys ARNs:

aws kms list-keys --region eu-central-1 --query "Keys[*].KeyId" --profile remote --output table

There will be a file “config” created, so we need to manually create a file called “credentials” with the command: New-Item credentials

https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html