Re: Cisco MSO, cAPIC and AWS | User Accounts

muneeb.ali07 · ‎09-18-2020

Greetings,

This is a lab environment. The cAPIC is deployed in one of the regions in AWS. The cAPIC is provisioned with initial configuration and the dual CSRv(s) are up. cAPIC is added as a site in the Cisco MSO. (Cisco MSO is located in the on-prem environment). The configure Infra is provisioned with Multi-Site and additional configuration. The IPSec, OSPF and BGP sessions are up.

The next step is to create a Tenant. When creating a tenant with AWS programmatic access key, it's throwing an exception that Account ID is already used for the Infra Tenant.

Though, when adding the Infra Tenant, no programmatic access key was provided and cAPIC admin/<password> was provided only.

As a workaround, a new sub-organization (for an example: sub-org-a) was created on the main AWS account and the account ID was used for the sub-organization (sub-org-a). At this point, the Tenant was created and pushed to both on-prem and capic.

The question is that is there any limitation, that user account of AWS must counts towards the root account (either main organization or sub-organization) and tenant represents a single user root account in the AWS?

Sergiu.Daniluk · ‎09-18-2020

Hi @muneeb.ali07

If you want to manage policies for AWS Organization accounts through the Cloud APIC, the Cloud APIC must be deployed in the master account.

The Cloud APIC uses the OrganizationAccountAccessRole IAM role to manage policies for AWS Organization tenants.

If you created an AWS account within the existing organization in the master account, the OrganizationAccountAccessRole IAM role is automatically assigned to that created AWS account. You do not have to manually configure the OrganizationAccountAccessRole IAM role in AWS in this case.
If the master account invited an existing AWS account to join the organization, then you must manually configure the OrganizationAccountAccessRole IAM role in AWS. Configure the OrganizationAccountAccessRole IAM role in AWS for the organization tenant and verify that it has Cloud APIC-related permissions available

Reference: https://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/cloud-apic/5-x/install/AWS/cisco-cloud-apic-for-aws-installation-guide-50x/m-cloud-apic-overview.html#Cisco_Concept.dita_8c82ad9c-5fd5-4a0d-88c4-2a0b25c8226f

Regarding the tenant question: each tenant must be in a separate AWS account. Sharing the same AWS account for multiple tenants is not allowed. For all non-infra tenants, the AWS provider is configured either as a trusted tenant or untrusted tenant

For a trusted tenant, establish the trust relationship first with the account in which Cisco Cloud APIC is deployed (the account for the infra tenant). To establish the trust relation and give all the required permissions to the Cisco Cloud APIC for accessing the tenant account, run the tenant role cloud-formation template in the tenant account. This template is available as a tenant-cft.json object in the S3 bucket that is named capic-common-[capicAccountId]-data in the infra tenant’s AWS account. For security reasons, public access to this S3 bucket is not allowed, so the S3 bucket owner needs to download this file and use it in the tenant account.
Untrusted tenants use the account access and secret keys. The access and secret keys being used must be for an IAM user having these permissions at a minimum. The IAM role created must be named ApicTenantRole.

Stay safe,

Sergiu