Skip to main content
Skip table of contents

Step-3: Create Role / IAM User

DigitalEx supports both types of AWS authentications,

  1. Role Based

  2. Access/Secret Key Based

Role-based access is generally considered to be more secure than user-based access, as it allows organizations to control access to resources and functions based on defined roles and responsibilities. We recommend using roles over individual users whenever possible

Creating Role

  1. Go to IAM from the Services tab.

  2. Click on Roles from the left menu options and Click on Create Role

  3. Select AWS Accounts and select Another AWS Account from an AWS Account tab

    1. specify Account ID as 911403356698(This is the Account Id of DigitalEx which is universal)

    2. Check on options Require external ID and enter the tenant id. To get the tenant id to follow instructions,

      1. Login to DigitalEx

      2. From the side menu, select API under the Admin section

      3. Capture the Tenant ID & enter it into the External ID field

  4. Click Next: Permissions, don’t select any permissions

  5. Click Next: Tags

  6. Click Next: Review

Enter the role name with prefix ‘digitalex-’ e.g: digitalex-rolename

  1. Enter the Role Name of your choice and Click Create Role.

    image-20240726-110503.png

  1. A new role should be created and displayed on the list.

  1. Click on the newly created Role which is navigated to the below page

  1. Click on Add Permissions -> Create Inline Policy under Permissions Tab & Click on JSON tab & replace existing JSON with the following JSON

  2. JSON

    JSON 
    { 
   "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::<BUCKET_NAME>",
                "arn:aws:s3:::<BUCKET_NAME>/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "organizations:Describe*",
                "organizations:List*"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ce:Get*",
                "ce:Desc*",
                "ce:List*"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:Get*",
                "iam:List*",
                "iam:SimulateCustomPolicy",
                "iam:SimulatePrincipalPolicy"
            ],
            "Resource": "*"
        },
        {
     "Effect": "Allow",
     "Action": [
                "cur:Get*",
                "cur:ValidateReportDestination",
                "cur:Describe*"
      ],
     "Resource": "*"
}
    ]
}

  3. And replace <BUCKET_NAME> on lines 11 & 12 with the name of the bucket captured in Step-1: Enable CUR & Cost Explorer

  4. Review Policy, Name it & Click Create policy

  5. Capture Role ARN of the role we created from the summary section for the next steps.

    image (1).png

Creating IAM User & Access/Secret Keys

This step is not required if you have created a Role.

  1. Go to IAM from the Services tab & navigate to Users tab

  2. Click Add Users, enter name of your choice

  3. Skip permissions for now. Keep doing Next & finally Create User.

  4. Open the User you have created & click on Security credentials.

  5. Scroll down & click on Create access key

  6. Select Others & click on next

  7. Click on Create Access Key

  8. Save Access key ID and Secret access key for later use.

  9. Click Done

  10. Navigate to the details of the user we just created

  11. Click Add Inline Policy under Permissions Tab & Click on JSON tab & replace existing JSON with the following JSON

    1. JSON

      JSON 
      { 
   "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::<BUCKET_NAME>",
                "arn:aws:s3:::<BUCKET_NAME>/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "organizations:ListAccounts",
                "organizations:DescribeAccount"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ce:Get*",
                "ce:Desc*",
                "ce:List*"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:Get*",
                "iam:List*",
                "iam:SimulateCustomPolicy",
                "iam:SimulatePrincipalPolicy"
            ],
            "Resource": "*"
        },
        {
     "Effect": "Allow",
     "Action": [
                "cur:Get*",
                "cur:ValidateReportDestination",
                "cur:Describe*"
      ],
     "Resource": "*"
}
    ]
}

    2. And replace <BUCKET_NAME> on lines 11 & 12 with the name of the bucket captured in Step-1: Enable CUR & Cost Explorer

  12. Review the policy & click create

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close