Register your Organization
As an organization manager you easily apply for your organization to join RosettaHUB by submitting an application here: https://www.rosettahub.com/registration/institution.xhtml . RosettaHub can manage your organization's AWS, Azure and GCP accounts. Putting your root cloud accounts under the management of RosettaHUB allows for mass on-boarding to AWS, Azure and GCP for all members of your organization. The platform creates individual cloud accounts for each member whilst allowing you to control costs and define budgets, permissions and limits on each cloud account. A RosettaHub cloud account maps an AWS sub-account an Azure resource group or a GCP project.
Organization Registration Process:
Pre-requisites for AWS Registration:
The organization owns an AWS account
The organization provides RosettaHub access to the root account using an AWS IAM role with minimal IAM permissions required for billing, resources monitoring and managing permissions for sub-accounts through AWS Organizations SCPs.
Optionally for providing federated access to the AWS sub-accounts, the root access role may create IAM roles with admin access on each sub-account. If users consume more than their allocated budget an AWS SCP is applied on the account and the federated role that blocks all actions that create AWS resources and allows only Read-only and delete actions.
Optionally, for extra privileges that allow RosettaHub to take actions on AWS sub-accounts and delete AWS resources when necessary, the IAM role on the root account can assume a roles with administrator privileges on the AWS sub-accounts.
Pre-requisites for Azure Registration:
The organization owns an Azure subscription
Pre-requisites for GCP Registration:
The organization owns a GCP account
The organization creates an Organization within GSuite: https://gsuite.google.com/signup/gcpidentity/welcome
If the GCP account is new, the organization requests a quota increase on the number of GCP projects: https://support.google.com/code/contact/billing_quota_increase
GCP Gcloud Setup
To give access to RosettaHub to administer a GCP folder, the organization needs to execute the following script and replace folder_id with the rosettahub folder id and rh-email with the email that has been communicated by RosettaHUB.
gcloud resource-manager folders add-iam-policy-binding folder_id --member="user:rh-email" --role="roles/owner"
gcloud resource-manager folders add-iam-policy-binding folder_id --member="user:rh-email" --role="roles/resourcemanager.projectCreator"
gcloud resource-manager folders add-iam-policy-binding folder_id --member="user:rh-email" --role="roles/resourcemanager.projectDeleter"
gcloud resource-manager folders add-iam-policy-binding folder_id --member="user:rh-email" --role="roles/resourcemanager.folderAdmin" |
In order for RH to manage users access to GCP regions, the organization can grant these additional rights and replace project_id with the project id communicated by RosettaHUB and org_id with the organization's organization id under GCP:
gcloud organizations add-iam-policy-binding org_id --member="serviceAccount:administrator@project_id.iam.gserviceaccount.com" --role="roles/orgpolicy.policyAdmin"
gcloud organizations add-iam-policy-binding org_id --member="user:rh-email" --role="roles/orgpolicy.policyAdmin" |
If the organization wants to restrict all users to one region, the organization can simply enforce an organization policy for regions at the folder level and communicate the selected region to RosettaHUB.