Connecting Teevity to your Amazon Web Services environment

Last updated - 2018/03/02


If you use AWS, here are all the details (and some AWS CLI based scripts, at the bottom of this page) regarding how you can connect Teevity to your AWS billing environment using:

    • [Method 1] - a dedicated IAM user with AccessKey/SecretAccessKey with limited rights
    • [Method 2] - an IAM cross account relationship between your AWS environment and Teevity


Once this connection is established, and if you want Teevity to provide its full range of services, you also need to connect it to the individual AWS accounts of your company (or a subset of these AWS accounts). The connection to individual AWS accounts lets Teevity poll:

    • AWS CloudWatch metrics (for the Resource Usage Optimization service)
    • AWS RIs which are bought on accounts which are not the billing account (for the RI optimization service)

Connection of your AWS billing environment to Teevity

[Method 1] - Connection with a Dedicated IAM user (using its AccessKey / SecretAccessKey)

In this scenario, you provide the AK/SK of an IAM user. This IAM user can live:

  • On the account that owns the billing bucket
  • On another account (exclusively dedicated to IAM users for instance). In this case, you must provide the name of an IAM Role that lives on the AWS account that owns the billing bucket. Teevity will try to assume this Role on the account whose number is provided in the "Master account number".


[Method 2] - Connection using an IAM cross account relationship

In this scenario, you don't provide the AK/SK for an IAM user. You rather establish a trust relationship between a Role on your AWS environment (called TeevityCrossAccountTrustRole) and the Teevity service.

Connection of your AWS environment with Teevity:

    • Step 0 - Create an IAM role called TeevityCrossAccountTrustRole of type "cross account trust" on the Master Billing account. The trust relationship is used to trust the "Teevity AWS IAM user" to assume the IAM Role your have created on your Master Billing Account, so that Teevity can poll your billing files and also, through that role, poll CloudWatch metrics on the child accounts (more on that in steps 1 & 2 below). The associated script has to be executed on your Master Billing account.

To execute the script you will need to :

  • replace ##S3_PROGRAMMATIC_BILLING_BUCKET_NAME##" by the name of the S3 bucket where the programmatic billing data is exported (see more information here)
  • replace ##TEEVITY_TRUST_RELATIONSHIP_EXTERNALID## by your external ID you will find on the AWS account setup page :

Connection of the individual AWS accounts

Once the connection with Teeevity is established, and if you want Teevity to provide its full range of services, you also need to connect it to the individual AWS accounts of your company (or a subset of these AWS accounts).

The connection of the individual AWS accounts lets Teevity poll:

    • AWS CloudWatch metrics (for the Resource Usage Optimization service)
    • AWS RIs which are bought on accounts which are not the billing account (for the RI optimization service)

In order to set this up, you need to create IAM Roles on the AWS child accounts.

Creation of IAM roles on the child accounts (to allow Teevity to poll CloudWatch metrics on these accounts ) and of a cross-account-access relationship between the child accounts and the role on the master account (or the IAM user if you followed the method 1):

      • Step 1 - Create an IAM role of type "cross account trust" on each sub accounts (and all accounts with resources or owning RIs). This role can be called something like TeevityPollerRole (see this script) where
        • ##TEEVITY_IAM_USERNAME## is the IAM user if you used the method 1 (see above) or role/TeevityCrossAccountTrustRole if you used the method 2 (see above)
      • Step 2 - Authorize the TeevityCrossAccountTrustRole role or the IAM user to assume that role (see this script) where
        • ##TEEVITY_IAM_USERNAME## is the IAM user if you choose the method 1 (see above).
        • ##AWS_CHILDACCOUNT_NUMBER_00X## are the children accounts ids where the role of the step1 has been declared

Scripts referenced on this page (each script is packaged in a zip file which contains only one .sh file (but it's just CLI commands which would work as-is on Windows) and the dependant file(s) for the IAM policies) :