🛠️Setup IAM Role for Temporary Access

AWS Cost Explorer Access via IAM Role for Developers

Pagerly would use STS Temporary Role for accessing the AWS Cloud Reports. This is the safest option available for an external account accessing to specific resource on AWS.

This process involves creating an IAM role with the necessary permissions and then using STS to assume this role, which provides you with temporary credentials that can be used to access AWS resources.

In short , you need to create IAM Role which has

  • Access only to Cost Explorer

  • Allows External Account to Assume Role via STS

Note : Pagerly doesn't save any information related to your cloud. We find this runtime and give the reports on Slack

Setting up IAM Role

1. Creating an IAM Role

An IAM role allows you to delegate access with defined permissions, which can be assumed by users, applications, or AWS services without needing to share access keys.

Steps to Create an IAM Role for AWS Cost Explorer for External Access:

  1. Sign in to the AWS Management Console: Navigate to the IAM service.

  2. Navigate to Roles: Click on "Roles" on the sidebar, then click "Create role".

  3. Select Type of Trusted Entity:

    • For access by external accounts or IAM users within your account, select "Another AWS account".

  4. Specify Details:

    • If you selected "Another AWS account", enter the account ID : 065318983578

  5. Click Next: Permissions.

  6. Creating a Trust Policy with Pagerly

    A trust policy defines who is allowed to assume the role.

    You’ll specify this in the role creation process,

    Pagerly AWS Account Id : 065318983578

    Trust Policy for Allowing Pagerly:

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::065318983578:user/pagerly-cloudcost"
            },
            "Action": "sts:AssumeRole",
            "Condition": {}
        }
    ]
}

2. Creating and Attaching the Policy for Cost Explorer Access

In this step, you'll create a policy that grants permissions to access AWS Cost Explorer and then attach it to the IAM role.

Create the Policy:

  1. Navigate to to IAM Role just created

  2. Go to Add permissions and Create Inline Policy

  3. Choose the Service: Select "Cost Explorer Service".

  4. Add Actions: Choose actions you want to allow, such as GetCostAndUsage.

  5. Set Resource to All: Since Cost Explorer does not support resource-level permissions, use "Resource": "*".

  6. Review and Name Your Policy: Enter a name and description for your policy, then click "Create policy".

Or add the following Policy Directly 

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "ce:GetCostAndUsage",
            "Resource": "*"
        }
    ]
}

Attach the Policy to Your Role:

  1. Go Back to Your Role: Find the role you created in the Roles menu.

  2. Attach Policies: Click "Attach policies", find the policy you just created, select it, and then click "Attach policy".

Following this guide, you've created an IAM role with the necessary permissions for accessing only AWS Cost Explorer and allowing Pagerly to access this role

PreviousCloud Cost AppNextConfiguring Team for Cloud Cost

Last updated