Create IAM User With Required Permissions
• | AmazonS3ReadOnlyAccess—Allows read-only access to the S3 bucket containing Cost and Usage Report (CUR) data. |
Note:The Amazon S3 bucket is accessible from the IAM user credentials.
• | AWSBillingReadOnlyAccess—Allows read-only access to billing reports. |
This topic includes the following sections:
• | IAM User Creation (Legacy) Instructions |
• | IAM Policy (IAM User) Creation Reference |
IAM User Creation (Legacy) Instructions
Users who choose not to use the IAM role can instead create an IAM user with read-only access to the S3 bucket containing your Cost and Usage Report, as well as read-only access to metadata about the accounts referenced in your bill.
To create an IAM user (Legacy):
1. | Create a new IAM policy that allows read-only access to your S3 billing bucket and to metadata about the accounts referenced in your bill. For more information, see IAM Policy (IAM User) Creation Reference. |
2. | Create a new IAM user and attach only the newly created policy to this user. For instructions on this process, see the AWS documentation topic, IAM tutorial: Create and attach your first customer managed policy. |
3. | Capture the access key ID and secret access key for future use. |
IAM Policy (IAM User) Creation Reference
To allow read-only access to your S3 billing bucket and metadata about the accounts referenced in your bill, create a new AWS IAM policy with the required Flexera One permissions. Using the following sample policy, simply replace the YOUR_BILLING_BUCKET_NAME_HERE with your bucket name. Take care not to delete the trailing /* in the s3:GetObject permission.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": [
"arn:aws-cn:s3:::YOUR_BILLING_BUCKET_NAME_HERE"
]
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws-cn:s3:::YOUR_BILLING_BUCKET_NAME_HERE/*"
]
},
{
"Effect": "Allow",
"Action": [
"organizations:Describe*",
"organizations:List*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ce:GetReservationPurchaseRecommendation",
"ce:GetSavingsPlansPurchaseRecommendation",
"ce:GetSavingsPlansUtilizationDetails",
"ce:GetReservationUtilization"
],
"Resource": "*"
}
]
}