meshStack

meshStack

  • User Docs
  • Administrator Docs
  • API Docs
  • Release Notes
  • Feedback

›Concepts

Getting Started

  • How to get started with meshStack
  • AWS S3 Quickstart Guide
  • AKS Platform Quickstart Guide
  • AKS Developer Platform Guide

Concepts

  • Overview
  • Administration Roles
  • Onboarding
  • meshWorkspaces
  • meshProjects
  • meshTenants
  • Replication Configuration
  • Delete Tenants
  • meshUsers
  • meshPlatforms
  • Landing Zones
  • Open Service Brokers (OSB)
  • Guide: Emergency Users
  • Managing Tags
  • Policies
  • Unmanaged Tenants
  • meshStack Settings
  • Workspace Services
  • API Users
  • DNS and SSL Certificates
  • Customizing
  • Product Feedback Collection

Identity & Access

  • Identity and Access Management
  • Identity Provider
  • Identity Lookup
  • Authorization
  • User & Group LDAP Synchronisation
  • User & Group SCIM Synchronisation

Building Blocks

  • Building Blocks
  • Private Runners
  • Terraform/OpenTofu state managed by meshStack
  • Permission Delegation on AWS
  • Connecting meshStack and a Pipeline

Metering & Billing

  • Cost Management
  • Configuration

Amazon Web Services

  • Integration
  • Landing Zones
  • Metering
  • SSO Setup
  • Reserved Instances & Savings Plans Guide

Microsoft Azure

  • Integration
  • Landing Zones
  • Metering

Google Cloud Platform

  • Integration
  • Landing Zones
  • Metering

Cloud Foundry

  • Integration
  • Metering

Kubernetes

  • Integration
  • Landing Zones
  • Metering

GitHub

  • Pipeline Automation
  • Repository Provisioning

OpenShift

  • Integration
  • Landing Zones
  • Metering

OpenStack

  • Integration
  • Metering

OSB Services

  • Integration
  • Metering
  • meshcloud OSB API Profile
  • Tenant Services
  • Tutorial: Implement a Broker

Operations

  • Managed Service
  • Email
  • Logging & Auditing
  • Monitoring & Telemetry
  • Backup
  • Security FAQ

Guides

  • How to integrate a meshPlatform into meshStack
  • How to manually integrate AWS as meshPlatform
  • How to manually integrate Azure as meshPlatform
  • How to manually integrate GCP as meshPlatform
  • How to create your own platform
  • How to manage partner level permissions
  • How to use scoped API keys
  • How to setup and manage a Building block
Edit

Unmanaged Tenants

What is an unmanaged tenant?

Workload that is running indefinitely without anyone's awareness can be an easy way to burn through cloud budget. This is otherwise known as 'Shadow IT'. To make it easier to spot this kind of workload, meshStack offers a table view of all tenants that are unmanaged.

The definition of an unmanaged tenant is a cloud tenant that is not related to any meshWorkspace & meshProject. In other words, it does not have any organizational metadata applied to it, and it is "unknown" who owns the tenant from a meshStack perspective.

If you recently started using meshStack, you will most likely have a lot of unmanaged tenants. This is fine as you are still working on starting to manage these tenants via meshStack.

Viewing unmanaged tenants

Viewing unmanaged tenants can be easily done within the administration area. In the sidebar on the left, navigate to 'Platforms' -> 'Unmanaged Tenants'.

A table will open up with all unmanaged tenants that are known to meshStack. This list is refreshed on a daily basis.

It is also recorded when the unmanaged tenant was last observed. If the unmanaged tenant has not been observed for a few days meshStack will assume that it has been deleted in the cloud platform and will remove it from the list.

The screenshot below depicts how the unmanaged tenant list could look like.

Unmanaged Tenants

Assigning Unmanaged Tenants

It is recommended to manage all your tenants via meshStack, so they are assigned a clear ownership, and you benefit from the full Tenant Management capabilities that meshStack has to offer.

You can easily assign an unmanaged tenant to a project in meshStack by doing the following:

  • Click the "Assign to project" button as depicted in the screenshot
  • In the prompt that opens up, select to which workspace & project this tenant should belong
  • Select the Landing Zone that should be applied to this tenant.
    • The Landing Zone will automatically be applied after the first tenant replication and the tenant will e.g. be assigned in the resource hierarchy in the cloud platform

Unmanaged Tenant Assignment

Tenants that are assigned into meshStack are removed from the unmanaged tenants list and shown in the tenants list instead.

Alternatively, if you prefer building an automation or an "as Code"-approach, you can use the meshTenant API Import.

Unmanaged AWS tenants

To import an unmanaged AWS account into a Workspace and Project, the account must be configured for meshStack integration. This configuration involves setting up an IAM role with a trust relationship to the root or master account of the AWS organization to which the account belongs.

Create the IAM role named MeshstackAccountAccessRole in the unmanaged account and assign the AWS managed IAM Policy AdministratorAccess to it. Once the account import is complete, the IAM role's permissions will be reduced to the required level.

Add the following trust relationship to the IAM role MeshstackAccountAccessRole, substituting ROOT_ACCOUNT_ID with the AWS account ID of the organization's master or root account.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::<ROOT_ACCOUNT_ID>:role/MeshfedServiceRole"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Once the role is established, the unmanaged AWS account can be assigned to a project, allowing you to proceed with the steps outlined above.

Last updated on 6/26/2024
← PoliciesmeshStack Settings →
  • What is an unmanaged tenant?
  • Viewing unmanaged tenants
  • Assigning Unmanaged Tenants
    • Unmanaged AWS tenants
meshStack
Docs
User DocumentationAdministrator DocumentationSecurity FAQ
Get in Touch
SupportWebsiteLinkedIn
More
Release NotesGitHub
Copyright © 2025 meshcloud GmbH