Skip to main content
Skip table of contents

Step-3: Create Role / IAM User

DigitalEx supports both types of AWS authentications,

  1. Roles

  2. Users

Role-based access is generally considered to be more secure than user-based access, as it allows organizations to control access to resources and functions based on defined roles and responsibilities. We recommend using roles over individual users whenever possible

Roles

  1. Search IAM and Navigate to IAM dashboard

image-20250319-063957.png

  1. Click on Roles from the left menu options and Click on Create Role

image-20250319-064120.png

  1. Select AWS Accounts and select Another AWS Account from an AWS Account tab

image-20250319-064417.png

  1. specify Account ID as 911403356698(This is the Account Id of DigitalEx which is universal)

  2. Check on options Require external ID and enter the tenant id. To get the tenant id to follow instructions,

    1. Login to DigitalEx

    2. From the side menu, select API under the Admin section

    3. Capture the Tenant ID & enter it into the External ID field

  3. Click Next and don’t select any permissions

Enter the role name with prefix ‘DigitalEx-’ e.g: DigitalEx-rolename

  1. Enter the Role name and click Create role.

    image-20250319-064931.png

  2. A new role should be created and displayed in the list.

  3. Click on the newly created Role which is navigated to the below page

image-20250319-065058.png

  1. Click on Add Permissions -> Create Inline Policy under Permissions Tab

  2. Click on JSON tab & replace existing JSON with the below JSON

  3. Replace <BUCKET_NAME> on lines 11 & 12 with the name of the bucket captured in Step-1: Enable CUR & Cost Explorer

    JSON 
    { 
   "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::<BUCKET_NAME>",
                "arn:aws:s3:::<BUCKET_NAME>/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "organizations:Describe*",
                "organizations:List*"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ce:Get*",
                "ce:Desc*",
                "ce:List*"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:Get*",
                "iam:List*",
                "iam:SimulateCustomPolicy",
                "iam:SimulatePrincipalPolicy"
            ],
            "Resource": "*"
        },
        {
     "Effect": "Allow",
     "Action": [
                "cur:Get*",
                "cur:ValidateReportDestination",
                "cur:Describe*"
      ],
     "Resource": "*"
}
    ]
}

  4. Click Next and Enter Policy, Name it & Click Create policy

image-20250319-065452.png

  1. After creating policy below page is displayed. Capture ARN of the role from the summary section for the next steps.

    image-20250319-065619.png

Users

This step is not required if you have created a Role.

  1. Search IAM, Navigate to IAM dashboard and Click Users

image-20250319-065840.png

  1. Click Add Users, Enter name of your choice

image-20250319-070019.png

  1. Skip permissions for now. Keep doing Next & finally Create User.

  2. Click the User you have created & click on Security credentials.

  3. Scroll down & click on Create access key

    image-20250319-070251.png

  4. Select Others & click on next

image-20250319-070343.png

  1. Click on Create Access Key

  2. Capture Access key & Secret access key which is used in subsequent steps.

  3. Click Done

image-20250319-070542.png

  1. Navigate to the details of the user we just created

image-20250319-070644.png

  1. Click Create Inline Policy under Permissions Tab & Click on JSON tab & replace existing JSON with the below JSON

  2. Replace <BUCKET_NAME> on lines 11 & 12 with the name of the bucket captured in Step-1: Enable CUR & Cost Explorer

    JSON 
    { 
   "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::<BUCKET_NAME>",
                "arn:aws:s3:::<BUCKET_NAME>/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "organizations:ListAccounts",
                "organizations:DescribeAccount"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ce:Get*",
                "ce:Desc*",
                "ce:List*"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:Get*",
                "iam:List*",
                "iam:SimulateCustomPolicy",
                "iam:SimulatePrincipalPolicy"
            ],
            "Resource": "*"
        },
        {
     "Effect": "Allow",
     "Action": [
                "cur:Get*",
                "cur:ValidateReportDestination",
                "cur:Describe*"
      ],
     "Resource": "*"
}
    ]
}

  3. Review the policy & click create

image-20250319-070923.png
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close