Setting up access on AWS

In the AWS console, navigate to the IAM roles page.

Start creating a new role

• Click "Create role"

• Select "Another AWS account" as the type of trusted entity

• Use 949355348315 as the Account ID (this is Untab's AWS account ID)

• Select "Require external ID" and enter the external ID provided on the Infrastructure Providers settings page in the Untab UI

• Make sure that the "Require MFA" option is not selected

At the permissions screen, click "Create Policy"

• This will open a new window. Choose "JSON" and paste the following policy document:

  Copy

  {
    "Version": "2012-10-17",
    "Statement": [
      {
        "Effect": "Allow",
        "Action": [
          "ce:GetCostAndUsage",
          "ce:GetTags",
          "ce:GetDimensionValues",
          "ce:GetReservationUtilization",
          "ec2:Describe*",
          "elasticloadbalancing:Describe*",
          "cloudwatch:ListMetrics",
          "cloudwatch:GetMetricStatistics",
          "cloudwatch:Describe*",
          "autoscaling:Describe*"
        ],
        "Resource": "*"
      }
    ]
  }

• Click "Review Policy"

• Enter a name for the policy, e.g. "untab-agent"

• Click "Create Policy"

Finish creating the role

• Close the policy creation window and go back to the role creation window

• Click the button in the top right corner to refresh the list of policies

• Search for and select the policy you created in step 4

• Click "Next: Tags"

• Add any tags you might want to identify this policy

• Click "Next: Review"

• Enter a name for this role, e.g. "untab-agent"

• Click "Create Role"

Enter the role ARN into the Settings

• Find the role you just created in the IAM UI and click on it to see the "Summary" page for this role

• Copy role ARN, which is shown at the top of the page

• Navigate to the Infrastructure Providers settings page.

• In the AWS provider, turn on the "Use real billing information" option

• Paste the role ARN into the designated field and click "Save".