After setting up a user or role with the AssumeRole permission for use by Cloud Discovery & Visibility (CDV) in Organization-level discoveries (see Deploying cross-account roles for AWS Organization-level Discovery), you can configure the appropriate credentials in CDV. Doing so will let you set up Organization-level Schedule managers and Visibility managers.
To configure AWS credentials for Organization-level discovery and visibility:
-
If you haven't already done so, open the Credentials settings for the jobs that you're configuring:
In CDV, click the Discovery tab (if the Discovery page isn't already open).
In the Discovery or Visibility tab, tick the checkboxes for the managers whose credentials you want to edit. Then, at the top of the table, click Actions, then Update credentials.
For more details on finding and filtering the list of jobs, see Searching, filtering, and viewing items in tables.
Tip: Credentials settings are also available (along with other settings) when creating a new Discovery job. Click the Credentials tab if doing so. -
In the Discovery or Visibility tab, tick the checkboxes for the managers whose credentials you want to edit. Then, at the top of the table, click Actions, then Update credentials.
For more details on finding and filtering the list of jobs, see Searching, filtering, and viewing items in tables.
Tip: Credentials settings are also available (along with other settings) when creating a new Discovery or Visibility. Click the Credentials tab if doing so. In the AWS Credentials section, make sure that Single credential is selected, then do one of the following:
If CDV is not deployed on an EC2 instance:
In AWS Access Key ID, enter the access key ID for the user that CDV should use.
In AWS Secret Access Key, enter the secret access key for the user that CDV should use.
If CDV is deployed on an EC2 instance:
Make sure that Use EC2 instance credentials is ticked. CDV should acquire authentication information from the VM automatically.
In both cases, also do the following:
Make sure that Enable AWS role assumption is cleared, and that Discovery for Organization is ticked.
In Role name used for discovery organization, enter the name of the cross-account role that was created for discovery. Each account in the organization will assume this role during the discovery process.
Tip: In earlier steps when creating this role, the suggested example name wascross-account-role.In Role ARN used for operations of organizations, enter the ARN of the IAM role created in either the management or delegated administrator account. This role will be assumed by member accounts during organization discovery.
Note: This field is optional. It is required only if you choose to run Discovery from a member account by assuming a role created in the management or delegated administrator account.
When you're done, you can run discovery on your system at the Organization level.