Skip to main content
Skip table of contents

Step-3 : Create Role / IAM User

To carry out role-based steps, a Tenant ID is required. Please consult your partner company to share tenant id before moving forward.

DigitalEx supports both types of AWS authentications,

  1. Role Based

  2. Access/Secret Key Based

Role-based access is generally considered to be more secure than user-based access, as it allows organizations to control access to resources and functions based on defined roles and responsibilities. We recommend using roles over individual users whenever possible

Creating Role

  1. Go to IAM from the Services tab.

  2. Click on Roles from the left menu options and Click on Create Role

  3. Select AWS Accounts and select Another AWS Account from an AWS Account tab

    1. specify Account ID as 911403356698(This is the Account Id of DigitalEx which is universal)

    2. Check on options Require external ID and enter the tenant id(Please ask your partner to share tenant-id)

  4. Click Next, don’t select any permissions

  5. Click Next

  6. Enter the Role Name of your choice and Click Create Role.

  7. New Role should be created and displayed in the list.

  8. Click on the newly created Role which is navigated to the below page

  9. Click on Add Permissions -> Create Inline Policy under Permissions Tab & Click on JSON tab & replace existing JSON with the following JSON

    1. JSON

      JSON 
      { 
   "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::<BUCKET_NAME>",
                "arn:aws:s3:::<BUCKET_NAME>/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "organizations:ListAccounts",
                "organizations:DescribeAccount"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ce:Get*",
                "ce:Desc*",
                "ce:List*"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:GenerateCredentialReport",
                "iam:GenerateServiceLastAccessedDetails",
                "iam:Get*",
                "iam:List*",
                "iam:SimulateCustomPolicy",
                "iam:SimulatePrincipalPolicy"
            ],
            "Resource": "*"
        },
        {
     "Effect": "Allow",
     "Action": [
                "cur:Get*",
                "cur:ValidateReportDestination",
                "cur:Describe*"
      ],
     "Resource": "*"
}
    ]
}

    2. And replace <BUCKET_NAME> on lines 11 & 12 with the name of the bucket captured in Step-1 : Enable CUR & Cost Explorer

    3. Finally, your window should look like the following image. Note that, the bucket name in the image is for reference, it shouldn’t be copied as is, instead you should put your own bucket name

  10. Review Policy, Name it & Click Create policy

  11. Capture ARN of the role we created from the summary section for the next steps.

Creating IAM User & Access/Secret Keys

This step is not required if you have created a Role.

  1. Go to IAM from the Services tab & navigate to Users tab

  2. Click Add Users, enter name of your choice

  3. Skip permissions for now. Keep doing Next & finally Create User.

  4. Open the User you have created & click on Security credentials.

  5. Scroll down & click on Create access key

  6. Select Others & click on next

  7. Click on Create Access Key

  8. Save Access key ID and Secret access key for later use.

  9. Click Done

10. Navigate to the details of the user we just created

  1. Click Add Inline Policy under Permissions Tab & Click on JSON tab & replace existing JSON with the following JSON

    1. JSON

      JSON 
      { 
   "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::<BUCKET_NAME>",
                "arn:aws:s3:::<BUCKET_NAME>/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "organizations:ListAccounts",
                "organizations:DescribeAccount"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ce:Get*",
                "ce:Desc*",
                "ce:List*"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:GenerateCredentialReport",
                "iam:GenerateServiceLastAccessedDetails",
                "iam:Get*",
                "iam:List*",
                "iam:SimulateCustomPolicy",
                "iam:SimulatePrincipalPolicy"
            ],
            "Resource": "*"
        },
        {
     "Effect": "Allow",
     "Action": [
                "cur:Get*",
                "cur:ValidateReportDestination",
                "cur:Describe*"
      ],
     "Resource": "*"
}
    ]
}

    2. And replace <BUCKET_NAME> on lines 11 & 12 with the name of the bucket captured in Step-1 : Enable CUR & Cost Explorer

    3. Finally, your window should look like the following image. Note that, the bucket name in the image is for reference, it shouldn’t be copied as is, instead you should put your own bucket name

  2. Review the policy & click create

<<Previous ---------------------------------------------------------------------------------------------------------- Next>>

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close