How to properly access an organization with multiple accounts #1243
Replies: 3 comments
-
Hi @mderoquefeuil, thanks for bringing up this discussion. Currently CCF needs to have access to the billing account directly to access the CUR and Athena querying. For now, we can continue to look into this and help you find an answer, but I would also suggest reaching out to AWS support for assistance on getting the right access to the CUR through other organizational accounts/roles, and continuing to review the AWS documentation in great detail. In the meantime, please provide any updates you might find! |
Beta Was this translation helpful? Give feedback.
-
Hello @camcash17 Martin |
Beta Was this translation helpful? Give feedback.
-
Hi @mderoquefeuil, I am wondering if there error might be with you setting |
Beta Was this translation helpful? Give feedback.
-
Hello,
We try to set up Cloud Carbon Footprint in our organization. We have multiple accounts in it. When we log into AWS, we exclusively use roles, as User is a forbidden practice.
We use a rebound account for authentication (let's call it ID Account), from which we can then access to an account on which we can access the athena table containing the Cost and Usage Report (let's call it CUR Account).
We have tried many many settings, but we can't figure how to properly log in in AWS and request the table.
We set an environment variable AWS_PROFILE="my profile to access the CUR Account through the ID account") and AWS_DEFAULT_REGION="eu-west-3" as everything we do is on this region.
So far, we can confirm :
And here is our configuration env file :
AWS_USE_BILLING_DATA=true
AWS_BILLING_ACCOUNT_ID=CUR Account identifier
AWS_BILLING_ACCOUNT_NAME=CUR account name
AWS_ATHENA_REGION=eu-west-3
AWS_TARGET_ACCOUNT_ROLE_NAME=role to request cur athena table
AWS_ATHENA_DB_NAME=athena database name containing the cur table
AWS_ATHENA_DB_TABLE=athena cur table
AWS_ATHENA_QUERY_RESULT_LOCATION=s3://
AWS_RESOURCE_TAG_NAMES=["user:"]
AWS_ACCOUNTS=[{"id":"CUR Account identifier","name":"CUR account name"}]
AWS_AUTH_MODE=AWS
The error message is basically the credential objet is empty/undefined
Here is a sack trace of our error
2023-09-25T14:09:48.298Z [App] info: Starting AWS Estimations 2023-09-25T14:09:49.455Z [CostAndUsageReports] error: Error verifying schema for Athena table: "athena cur table"CredentialsError: Missing credentials in config, if using AWS_CONFIG_FILE, set AWS_SDK_LOAD_CONFIG=1 at Request.extractError (/Users/devhome/numerique-responsable/cloud-connect-footprint/node_modules/aws-sdk/lib/protocol/query.js:50:29) at Request.callListeners (/Users/devhome/numerique-responsable/cloud-connect-footprint/node_modules/aws-sdk/lib/sequential_executor.js:106:20) at Request.emit (/Users/devhome/numerique-responsable/cloud-connect-footprint/node_modules/aws-sdk/lib/sequential_executor.js:78:10) at Request.emit (/Users/devhome/numerique-responsable/cloud-connect-footprint/node_modules/aws-sdk/lib/request.js:686:14) at Request.transition (/Users/devhome/numerique-responsable/cloud-connect-footprint/node_modules/aws-sdk/lib/request.js:22:10) at AcceptorStateMachine.runTo (/Users/devhome/numerique-responsable/cloud-connect-footprint/node_modules/aws-sdk/lib/state_machine.js:14:12) at /Users/devhome/numerique-responsable/cloud-connect-footprint/node_modules/aws-sdk/lib/state_machine.js:26:10 at Request.<anonymous> (/Users/devhome/numerique-responsable/cloud-connect-footprint/node_modules/aws-sdk/lib/request.js:38:9) at Request.<anonymous> (/Users/devhome/numerique-responsable/cloud-connect-footprint/node_modules/aws-sdk/lib/request.js:688:12) at Request.callListeners (/Users/devhome/numerique-responsable/cloud-connect-footprint/node_modules/aws-sdk/lib/sequential_executor.js:116:18) at Request.emit (/Users/devhome/numerique-responsable/cloud-connect-footprint/node_modules/aws-sdk/lib/sequential_executor.js:78:10) at Request.emit (/Users/devhome/numerique-responsable/cloud-connect-footprint/node_modules/aws-sdk/lib/request.js:686:14) at Request.transition (/Users/devhome/numerique-responsable/cloud-connect-footprint/node_modules/aws-sdk/lib/request.js:22:10) at AcceptorStateMachine.runTo (/Users/devhome/numerique-responsable/cloud-connect-footprint/node_modules/aws-sdk/lib/state_machine.js:14:12) at /Users/devhome/numerique-responsable/cloud-connect-footprint/node_modules/aws-sdk/lib/state_machine.js:26:10 at Request.<anonymous> (/Users/devhome/numerique-responsable/cloud-connect-footprint/node_modules/aws-sdk/lib/request.js:38:9) 2023-09-25T14:09:49.485Z [CostAndUsageReports] warn: 'product_vcpu' column could not be verified in Athena table schema. This may occur if there was an error fetching the schema or when there is no historical CPU usage (i.e. EC2) for the configured account. The CPU column will be excluded from Athena Query 2023-09-25T14:09:50.044Z [api] error: Unable to process footprint request.Error: Athena start query failed. Reason Missing credentials in config, if using AWS_CONFIG_FILE, set AWS_SDK_LOAD_CONFIG=1.
Also, we tried to set AWS_SDK_LOAD_CONFIG=1 in env variable or in env file with no change.
Thanks in advance if anyone can help.
Regards,
Martin
Beta Was this translation helpful? Give feedback.
All reactions