As a Tanzu Hub organization owner or administrator, you can use the AWS account workflow to create the roles and connections required for this account.

Before you begin

  • To configure the account and collect data:
    • Verify that you have the ID for any Amazon Web Services accounts that you plan to set up. The account must have sufficient permissions to create an IAM role, run connections script, and export access keys.
    • Verify the account by accessing it using your AWS console.
    • Install the AWS CLI or use AWS CloudShell. See the instructions in the AWS CLI documentation or AWS CloudShell documentation.
    • If you are associating account with a Tanzu Hub project, verify that you created the project. For instructions, see Add projects.
  • To configure the event monitoring for accounts so that you receive real-time alerts for insights or finding information about misconfigurations and vulnerabilties rather than waiting for the next scan:
    1. Set the following IAM policy so that you can export your AWS Access Key and the AWS Secret Access Key.
      {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "sns:*",
                "cloudtrail:*",
                "cloudformation:*",
                "events:*",
                "iam:*",
                "ec2:DescribeRegions"
            ],
            "Resource": "*"
        }
    ]
{
    2. Enable AWS CloudTrail.
    3. Install the AWS CLI. See the instructions in the AWS CLI documentation.
    4. Export the AWS Access Key and the AWS Secret Access Key. See the instructions in the AWS environment variables documentation. To export the keys, the user must have access to AWS CloudFormation, AWS Events Rule, AWS SNS Topic, and AWS SNS Topic Policy.
  • Event streaming provides Tanzu Hub with real-time updates. When you configure event streaming, it is enabled for all your AWS regions. However, AWS charges you to manage the encryption keys. To manage your costs after you set up your AWS accounts in Tanzu Hub, you can continue the event streaming for your important regions and resources while deactivating the VMware event stream in the unused AWS regions.
  • To configure the elevated credentials:
    • Install the AWS CLI. See the instructions in the AWS CLI documentation.
    • Create a VMware Cloud Services token.
      1. Open your User/Organization settings menu, in the top-right with your name and organization name, and click My Account.
      2. Click the API Tokens tab and click Generate a New API Token.
      3. Enter the Name, for example, Tanzu Hub.
      4. Set the Token TTL to never expires.
      5. In the Define Scope section, select the following roles.

        You must have the following roles assigned to you in your organization before you can configure the token.

        • Navigate to Organization Roles > All Organization Roles and select the Organization Owner role.
        • Search for Tanzu Hub and select the Tanzu Hub Admin role.
        • Search for Secure State and select the Secure State Admin role.
      6. Click Generate.
      7. Copy and save the token for use as you configure the account.

Add a single AWS account

Use this workflow to add a single account. This process is useful if you do not have many AWS accounts that you want to manage. If you are new to Tanzu Hub, it is useful way to explore how Tanzu Hub can help you manage your resources.

  1. In Tanzu Hub, select Administration > Set Up and Configure > Accounts and click New Accounts.
  2. Click Amazon Web Services, select Single account, and click Continue.
    Select the Single account or Organization as the onboarding method.
  3. In the Account Information section, enter useful account information.
    On the Account Information page, you provide a name and your AWS account ID.
    1. Enter the name and your Account ID.
    2. If you work with projects, select one or more Tanzu Hub projects that you are associating with the AWS account.
    3. You can use Environment to add descriptive metadata to accounts that are used by some features in Tanzu Hub.

      For example, if you add and select environments such as prod, dev, and test, you can then apply governance policies to a particular environment. You can then search based on environment and even apply a policy to the resources in your production environment but not development or testing.

    4. Enter the owner name and email address.
    5. Click Next
  4. In the Connect Account section, follow the on-screen steps to configure the least privileged account in you AWS instance and update this page with the IAM Role ARN and the External ID.

    The steps that are provided in the UI are repeated in this procedure for you convenience.


    The AWS Connect Account section in Tanzu Hub with the IAM Role ARN text box populated with the value from AWS.
    1. Open a browser tab and log in with the account that you are creating the read-only role for.
    2. In step 1, click Create AWS IAM Role.

      The Another AWS account workflow begins in AWS.

      In most cases, you do not need to change the values on the Specify accounts that can use this role page.

      Click Next: Permissions.

    3. Locate and select the SecurityAudit role.

      Click Next: Tags.

    4. Tags are optional. Click Next: Review.
    5. Review the Role name and ensure uniqueness.
    6. Click Create role.
    7. In the IAM Roles list, click the role name. For example, TanzuHub.
    8. On the role summary page, copy the ARN so that you can paste it in the IAM Role ARN in the Connect Account form in Tanzu Hub.
    9. In the Connect Account section, paste the ARN in the IAM Role ARN text box.
    10. Click Save Account and Continue.
  5. In the Account Onboarding section, enable event monitoring.

    To configure event stream, which provides updates about security findings for this cloud account, you must configure AWS so that you can run a connection script. See the prerequisites at the beginning of this procedure.

    The connection script adds a policy with the following permissions and assigns the policy to the role you created in the previous section.

    • cloudwatch:GetMetricData and cloudwatch:ListMetrics. These permissions are required to collect metrics.
    • ce:GetCostAndUsage and ce:GetCostForecast. These permissions are required to collect cost information.

    In addition to the collection permissions, the SecurityAudit policy-based role permits AWS CloudTrail to send real-time update to Tanzu Hub.

    The steps that are provided in the UI are repeated in this procedure for you convenience.


    The Account Onboarding page provides the AWS configurations so that you can run the Connect Event Stream script in step 4.
    1. In AWS, ensure that your AWS CloudTrail is turned on.
    2. Install the AWS CLI.

      Instructions are accessible with the link on the page or this link to AWS documentation.

    3. Export the Access Key and the Secret Access Key.

      Instructions are accessible with the link on the page or this link to AWS documentation.

    4. Run the command to download and run the script that creates a CloudFormation stack with the required configurations.
    5. Launch AWS CloudShell and upload the script.
    6. Enter the IAM role that you created for this connection.

      For example, TanzuHub.

    7. Run the script.
    8. After the script runs successfully, return to Tanzu Hub and click Next.

      As a free tier user, you can collect data from two accounts. Paying users can configure the full management capabilities for their AWS accounts.

  6. In the Configure elevated access section, follow the on-screen steps to configure the elevated access role and the two policies that define the permissions. The steps that are provided in the UI are repeated in this procedure for you convenience.

    The command creates a role, for example, TanzuHubElevatedAccess, and adds two policies that contain the minimum IAM privileges required to allow you to make changes to the AWS account resources from Tanzu Hub. For example, responding to a governance finding to get a resource back in compliance with a policy.


    The Configure elevated access page provides the AWS script that you can run in the command line to configure the elevated user role and policies.
    1. Verify that you installed the AWS CLI.
    2. Using the AWS CLI, run export CSP_REFRESH_TOKEN={CSP token} to set the token variable.

      The {CSP token} is the VMware Cloud services token that you created as part of the prerequisites for this procedure.

    3. Select one or more projects to apply the elevated credentials to.
    4. Enter an AWS role name to associate with the credentials.
    5. Generate the script and, using the AWS CLI, run the provided curl command.
    6. After you run the command, verify in AWS that the TanzuHubElevatedAccess role exists for the account and select the confirmation check box.

      If you receive an error message about AWS being unable to locate the credentials, try running aws configure.

    7. Click Save and Finish.
  7. On the Accounts page, verify that the data source is added, the Status is OK, and the Event Monitoring state is Connected.

The collection might take up to thirty minutes before you see data. To monitor the process, select Explore > Inventory.

Add multiple AWS accounts

While you can continue to add cloud accounts one at a time with the single account method, it will become tedious in your enterprise environments.

Onboarding accounts using the organization method allows you to add multiple accounts with whatever level of management you want. However, you can only onboard 100 accounts at a time before you must run the organization onboarding for the next 100 accounts.

When using this procedure, you can refer to the images and more detailed information in the single account section. While the order is slightly different, the process is the same.

Be sure to use the scripts on the pages in this procedure. They are customized each time you onboard the resources. Do not reuse scripts from previous onboarding actions.

  1. In Tanzu Hub, select Administration > Set Up and Configure > Accounts and click New Accounts.
  2. Click Amazon Web Services, select Organization (member accounts), and click Continue.
    To add multiple accounts, start by adding the organization root account and then configure the collected member accounts.
  3. To add the organization root account, click Start in the Add organization step.
    1. On the Add Account page, enter the root account ID for the member accounts that you are adding.

      The root account is required here so that Tanzu Hub can collect the member accounts that you want to manage.

    2. Complete the form and click Next.

      If you have not added an account before, see the step in the previous single account section for this step and the others that follow for additional details.

    3. On the Connect Account page, follow the on-screen instructions for adding the read-only collection IAM role for the root account and click Save Account and Continue.

      When you click Save, Tanzu Hub uses the collection role to discover the member accounts so that you can choose the ones you want to manage.

    4. On the Configure the Event Monitoring page, if you want to get real-time event reporting in Tanzu Hub for the root account, follow the on-screen instructions to enable event monitoring.
    5. On the Configure Elevated Access page, if you want to allow Tanzu Hub users and workflows to make changes to your root account, follow the on-screen instructions to add the role and the two IAM privilege policies.
    6. Click Save and Finish.
  4. To add the multiple member accounts associated with the root account, the next steps require you to select the accounts in each of the following sections.

    The ability to select individual member accounts for each onboarding step allows you to be selective about how you want to use Tanzu Hub to manage various member accounts.

    Table 1. Additional wizard steps
    Step Procedure
    Add Member Accounts
    Select the accounts that you want to collect data from and configure the IAM read-only role on each as a bulk action.
    1. Select the member accounts.
    2. Configure the IAM read-only collection role.
    3. Edit account properties, including assigning accounts to one ore more projects.

      Projects are used to manage access.

    4. Onboard the accounts.
    Configure Event Monitoring
    Select the accounts that you want to collect real-time event data from and configure the event monitor.
    1. Select the member accounts.
    2. Configure the event monitoring.
    Configure Elevated Access
    Select the accounts that you want to manage and configure the elevated credentials.
    1. Select the member accounts.
    2. Install the AWS CLI.
    3. Using the CLI, run export CSP_REFRESH_TOKEN={CSP token} to set the token variable.

      The {CSP token} is the VMware Cloud Services token that you created as part of the prerequisites for this procedure.

    4. Run the provided curl command.
    5. Verify in AWS that the TanzuHubElevatedAccess role exists for each account.
    6. Add one or more projects.
  5. Click Save and Finish.
  6. On the Accounts page, verify that the accounts that you added are included in the table as individual entries.

What to do next

  • The collection might take up to thirty minutes before you see data. To monitor the process, select Explore > Search and click the Inventory tab. See Reviewing your discovered inventory.
  • If you need to make changes to an AWS account, select Administration > Set Up and Configure > Accounts, expand the details for the target account, and click Edit Account or edit the individual account properties.