Generating an AWS access key and secret key
To integrate Nife-Cost with your AWS account, you need to create an IAM user and attach a policy that grants the necessary read-only permissions. Here is a step-by-step guide on how to generate the access key and secret key with the required permissions based on the provided JSON policy.
Step 1: Create a Custom IAM Policy
-
Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
-
In the navigation pane, choose Policies, then click Create policy.
-
Select the JSON tab and paste the following JSON policy:
{"Version": "2012-10-17","Statement": [{"Sid": "FinOpsReadOnlyAccess","Effect": "Allow","Action": ["ce:GetCostAndUsage","ce:GetCostForecast","ce:GetDimensionValues","ce:GetReservationCoverage","ce:GetReservationPurchaseRecommendation","ce:GetReservationUtilization","ce:GetRightsizingRecommendation","ce:GetSavingsPlansCoverage","ce:GetSavingsPlansUtilization","ce:GetSavingsPlansPurchaseRecommendation","ce:ListCostAllocationTags","cur:DescribeReportDefinitions","pricing:GetProducts","pricing:DescribeServices","budgets:ViewBudget","sts:GetCallerIdentity","ec2:DescribeInstances","ec2:DescribeVolumes","ec2:DescribeSnapshots","ec2:DescribeSecurityGroups","ec2:DescribeSubnets","ec2:DescribeVpcs","ec2:DescribeAddresses","ec2:DescribeInternetGateways","ec2:DescribeNatGateways","ec2:DescribeVpcEndpoints","ec2:DescribeVpcPeeringConnections","ec2:DescribeTransitGatewayVpcAttachments","ec2:DescribeTransitGatewayPeeringAttachments","ec2:DescribeNetworkInterfaces","ec2:DescribeNetworkAcls","ec2:DescribePlacementGroups","ec2:DescribeSpotInstanceRequests","ec2:DescribeKeyPairs","ec2:DescribeLaunchTemplates","ec2:DescribeReservedInstances","ec2:DescribeReservedInstancesOfferings","ec2:DescribeTags","ecs:ListClusters","ecs:DescribeClusters","ecs:ListContainerInstances","ecs:DescribeContainerInstances","ecs:ListTaskDefinitions","ecs:DescribeTaskDefinition","ecs:ListTasks","ecs:DescribeTasks","ecs:ListServices","ecs:DescribeServices","ecs:ListTagsForResource","eks:ListClusters","eks:DescribeCluster","eks:ListTagsForResource","eks:ListNodegroups","eks:DescribeNodegroup","elasticloadbalancing:DescribeLoadBalancers","elasticloadbalancing:DescribeTags","elasticloadbalancing:DescribeListeners","elasticloadbalancing:DescribeTargetGroups","autoscaling:DescribeAutoScalingGroups","autoscaling:DescribeLaunchConfigurations","ssm:DescribeMaintenanceWindows","ssm:DescribeInstanceInformation","ssm:ListTagsForResource","ssm:GetParameter","ssm:GetParameters","rds:DescribeDBInstances","rds:DescribeDBClusters","rds:DescribeDBSnapshots","rds:DescribeDBClusterSnapshots","rds:DescribeDBProxyEndpoints","rds:DescribeDBProxies","rds:DescribeDBInstanceAutomatedBackups","rds:ListTagsForResource","redshift:DescribeEventSubscriptions","redshift:DescribeClusters","route53:ListHostedZones","route53:ListHostedZonesByName","route53:ListResourceRecordSets","route53:ListTagsForResource","route53:GetHostedZone","cloudwatch:GetMetricStatistics","cloudwatch:DescribeAlarms","cloudwatch:ListDashboards","cloudwatch:ListMetricStreams","cloudwatch:ListTagsForResource","logs:DescribeLogGroups","logs:DescribeLogStreams","lambda:ListFunctions","lambda:ListEventSourceMappings","lambda:ListTags","lambda:GetFunction","s3:ListAllMyBuckets","s3:GetBucketTagging","s3:GetBucketLocation","s3:GetBucketAcl","s3:GetBucketPolicy","dynamodb:DescribeTable","dynamodb:ListTables","dynamodb:ListTagsOfResource","elasticache:DescribeCacheClusters","elasticache:ListTagsForResource","es:ListDomainNames","es:DescribeDomains","kinesis:ListStreams","kinesis:ListStreamConsumers","kinesis:DescribeStream","kinesisanalytics:ListApplications","kinesisanalytics:DescribeApplication","firehose:ListDeliveryStreams","firehose:DescribeDeliveryStream","ecr:DescribeRepositories","ecr:ListTagsForResource","sns:ListTopics","sns:ListSubscriptions","sns:ListTagsForResource","sqs:ListQueues","sqs:ListQueueTags","sqs:GetQueueAttributes","apigateway:GET","wafv2:ListWebACLs","wafv2:ListTagsForResource","iam:ListUsers","iam:ListRoles","iam:ListPolicies","iam:ListGroups","iam:ListInstanceProfiles","iam:ListPolicyTags","iam:ListInstanceProfileTags","iam:ListOpenIDConnectProviders","iam:GetOpenIDConnectProvider","iam:ListSAMLProviders","iam:ListSAMLProviderTags","kms:ListKeys","kms:ListResourceTags","kms:DescribeKey","cloudfront:ListDistributions","cloudfront:ListFunctions","cloudfront:ListTagsForResource","codebuild:ListProjects","codebuild:BatchGetBuilds","codedeploy:ListApplications","codedeploy:ListDeploymentGroups","codecommit:ListRepositories","codecommit:ListTagsForResource","events:ListRules","events:ListTagsForResource","elasticfilesystem:DescribeFileSystems","elasticfilesystem:ListTagsForResource","secretsmanager:ListSecrets","secretsmanager:DescribeSecret","datasync:ListAgents","cloudtrail:ListTrails","cloudtrail:DescribeTrails","tag:GetResources","servicecatalog:SearchProductsAsAdmin","kafka:ListClustersV2","kafka:DescribeCluster","lightsail:GetInstances","lightsail:GetRelationalDatabases"],"Resource": "*"},{"Sid": "WAFv2RequiredScope","Effect": "Allow","Action": ["wafv2:GetWebACL","wafv2:GetWebACLForResource"],"Resource": "*"}]} -
Click Next: Tags to add any optional tags, then Next: Review.
-
Name the policy (e.g.,
Nife-CostReadOnlyPolicy), provide an optional description, and click Create policy.
Step 2: Create an IAM User
- In the IAM console, navigate to Users and click Add user.
- Enter a user name (e.g.,
Nife-CostReadOnlyUser) and select Programmatic access. - Click Next: Permissions, then select Attach existing policies directly.
- Search for the policy you created in Step 1 and select it.
- Click Next: Tags to add any optional tags, then Next: Review.
- Review the user details and click Create user.
Step 3: Retrieve Access Key and Secret Key
- After creating the user, you will see the User Summary page.
- Click on Download .csv to save the user credentials (access key ID and secret access key) securely. Alternatively, you can copy these values directly from the console.
- Store these credentials in a safe place. You will need them to configure Nife-Cost.