Skip to main content

Generating an AWS access key and secret key

To integrate Nife-Cost with your AWS account, you need to create an IAM user and attach a policy that grants the necessary read-only permissions. Here is a step-by-step guide on how to generate the access key and secret key with the required permissions based on the provided JSON policy.

Step 1: Create a Custom IAM Policy

  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane, choose Policies, then click Create policy.

  3. Select the JSON tab and paste the following JSON policy:

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "1",
                "Effect": "Allow",
                "Action": [
                    "apigateway:GET",
                    "codecommit:ListRepositories",
                    "codecommit:ListTagsForResource",
                    "codebuild:ListProjects",
                    "codedeploy:ListApplications",
                    "codedeploy:ListDeploymentGroups",
                    "cloudwatch:GetMetricStatistics",
                    "cloudfront:ListDistributions",
                    "cloudfront:ListFunctions",
                    "cloudfront:ListTagsForResource",
                    "cloudwatch:DescribeAlarms",
                    "cloudwatch:ListTagsForResource",
                    "cloudwatch:ListDashboards",
                    "cloudwatch:ListMetricStreams",
                    "dynamodb:DescribeTable",
                    "dynamodb:ListTables",
                    "sts:GetCallerIdentity",
                    "dynamodb:ListTagsOfResource",
                    "ec2:DescribeNetworkAcls",
                    "ec2:DescribeAddresses",
                    "config:BatchGetResourceConfig",
                    "ec2:DescribeInstances",
                    "ec2:DescribeInternetGateways",
                    "ec2:DescribeKeyPairs",
                    "ec2:DescribeNetworkInterfaces",
                    "ec2:DescribePlacementGroups",
                    "ec2:DescribeSecurityGroups",
                    "ec2:DescribeSnapshots",
                    "ec2:DescribeSpotInstanceRequests",
                    "ec2:DescribeSubnets",
                    "ec2:DescribeTransitGatewayVpcAttachments",
                    "ec2:DescribeVolumes",
                    "ec2:DescribeVpcEndpoints",
                    "ec2:DescribeVpcPeeringConnections",
                    "ec2:DescribeVpcs",
                    "ecr:DescribeRepositories",
                    "ecr:ListTagsForResource",
                    "ecs:ListClusters",
                    "ecs:ListContainerInstances",
                    "eks:ListClusters",
                    "eks:ListTagsForResource",
                    "eks:DescribeCluster",
                    "elasticache:DescribeCacheClusters",
                    "elasticache:ListTagsForResource",
                    "elasticloadbalancing:DescribeLoadBalancers",
                    "elasticloadbalancing:DescribeTags",
                    "elasticloadbalancing:DescribeListeners",
                    "elasticloadbalancing:DescribeTargetGroups",
                    "kafka:ListClustersV2",
                    "kinesisanalytics:ListApplication",
                    "firehose:ListDeliveryStreams",
                    "ec2:DescribeNatGateways",
                    "ec2:DescribeTransitGatewayPeeringAttachments",
                    "WAFV2:ListWebACLs",
                    "sns:ListSubscriptions",
                    "iam:ListGroups",
                    "iam:ListInstanceProfiles",
                    "iam:ListOpenIDConnectProviders",
                    "iam:GetOpenIDConnectProvider",
                    "iam:ListPolicies",
                    "iam:ListPolicyTags",
                    "iam:ListRoles",
                    "iam:ListSAMLProviders",
                    "iam:ListSAMLProviderTags",
                    "iam:ListUsers",
                    "kinesis:ListStreams",
                    "kinesis:ListStreamConsumers",
                    "kms:ListKeys",
                    "kms:ListResourceTags",
                    "kms:DescribeKey",
                    "rds:DescribeDBInstanceAutomatedBackups",
                    "rds:DescribeDBClusterSnapshots",
                    "rds:DescribeDBClusters",
                    "rds:DescribeDBProxyEndpoints",
                    "rds:ListTagsForResource",
                    "rds:DescribeDBInstances",
                    "rds:DescribeDBProxies",
                    "rds:DescribeDBSnapshots",
                    "redshift:DescribeEventSubscriptions",
                    "s3:GetBucketTagging",
                    "servicecatalog:SearchProductsAsAdmin",
                    "sns:ListTopics",
                    "sns:ListTagsForResource",
                    "sqs:ListQueues",
                    "sqs:ListQueueTags",
                    "ssm:DescribeMaintenanceWindows",
                    "pricing:GetProducts",
                    "logs:DescribeLogGroups",
                    "autoscaling:DescribeAutoScalingGroups",
                    "ecs:ListTaskDefinitions",
                    "elasticfilesystem:DescribeFileSystems",
                    "elasticfilesystem:ListTagsForResource",
                    "iam:ListInstanceProfileTags",
                    "lambda:ListEventSourceMappings",
                    "lambda:ListFunctions",
                    "lambda:ListTags",
                    "es:ListDomainNames",
                    "es:DescribeDomains",
                    "s3:ListAllMyBuckets",
                    "secretsmanager:ListSecrets",
                    "datasync:ListAgents",
                    "cloudtrail:ListTrails"
                ],
                "Resource": "*"
            }
        ]
    }

  4. Click Next: Tags to add any optional tags, then Next: Review.

  5. Name the policy (e.g., Nife-CostReadOnlyPolicy), provide an optional description, and click Create policy.

Step 2: Create an IAM User

  1. In the IAM console, navigate to Users and click Add user.
  2. Enter a user name (e.g., Nife-CostReadOnlyUser) and select Programmatic access.
  3. Click Next: Permissions, then select Attach existing policies directly.
  4. Search for the policy you created in Step 1 and select it.
  5. Click Next: Tags to add any optional tags, then Next: Review.
  6. Review the user details and click Create user.

Step 3: Retrieve Access Key and Secret Key

  1. After creating the user, you will see the User Summary page.
  2. Click on Download .csv to save the user credentials (access key ID and secret access key) securely. Alternatively, you can copy these values directly from the console.
  3. Store these credentials in a safe place. You will need them to configure Nife-Cost.