Skip to main content
All CollectionsCore Concepts
Cloud Connections
Cloud Connections
Nishan avatar
Written by Nishan
Updated over a week ago

We recommend creating a brand new AWS sub-account to give us permissions to connect to it. This is a best practice to isolate your organization's other resources. You can connect resources/services in two different AWS accounts via VPC peering if/when required.If you have a pre-existing AWS Organization setup, follow these instructions to create a new AWS sub-account. If not, sign up for a new AWS account.

How to get AWS cloud credentials

Overall, please follow these steps to get AWS credentials.

  1. Navigate to the IAM console

  2. Create a new IAM policy

  3. Create a new IAM user with the IAM policy (see below)

  4. Create security credentials / aws keys for the new IAM user

Please read below instructions for each of the above steps.

Navigate to the IAM console​

  1. Sign in to the AWS account.
    If you do not have an AWS account, you can create one here - Create AWS account

  2. Once logged in, navigate to the IAM (Identity and Access Management) service by typing "IAM" in the search bar at the top and selecting IAM from the search results.

Create a new IAM policy​

  1. In the IAM console, click on "Policies" from the navigation pane on the left side to access the IAM Policies page.

  2. Click the "Create policy" button located at the top right corner.

  3. In the Policy editor, select "JSON" tab.

  4. Copy and paste the below policy JSON into the editor.

View IAM Policy JSON

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["ec2:*", "eks:*", "acm:*", "s3:*", "autoscaling:*"],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "iam:ListAttachedRolePolicies",
        "iam:ListPolicies",
        "iam:ListRoles",
        "iam:ListRolePolicies",
        "iam:ListPolicyTags",
        "iam:ListPolicyVersions",
        "iam:ListOpenIDConnectProviders",
        "iam:ListOpenIDConnectProviderTags",
        "iam:ListRoleTags",
        "iam:GetPolicy",
        "iam:GetRole",
        "iam:GetPolicyVersion",
        "iam:GetRolePolicy",
        "iam:CreateRole",
        "iam:DeleteRole",
        "iam:DeleteOpenIDConnectProvider",
        "iam:UpdateAccessKey",
        "iam:UpdateOpenIDConnectProviderThumbprint",
        "iam:UpdateRole",
        "iam:UpdateRoleDescription",
        "iam:AttachRolePolicy",
        "iam:CreatePolicy",
        "iam:CreatePolicyVersion",
        "iam:DeletePolicy",
        "iam:DeleteRolePolicy",
        "iam:DetachRolePolicy",
        "iam:PutRolePolicy",
        "iam:UpdateAssumeRolePolicy",
        "iam:TagOpenIDConnectProvider",
        "iam:TagPolicy",
        "iam:TagRole",
        "iam:UntagPolicy",
        "iam:UntagRole",
        "iam:GetOpenIDConnectProvider",
        "iam:ListInstanceProfilesForRole",
        "iam:ListInstanceProfiles",
        "iam:ListInstanceProfileTags",
        "iam:ListGroups",
        "iam:ListGroupPolicies",
        "iam:ListAttachedGroupPolicies",
        "iam:GetGroup",
        "iam:GetGroupPolicy",
        "iam:CreateGroup",
        "iam:DeleteGroup",
        "iam:UpdateGroup",
        "iam:AttachGroupPolicy",
        "iam:DeleteGroupPolicy",
        "iam:DetachGroupPolicy",
        "iam:PutGroupPolicy",
        "iam:PassRole",
        "iam:CreateOpenIDConnectProvider",
        "iam:DeletePolicyVersion"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": "iam:CreateServiceLinkedRole",
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "iam:AWSServiceName": "elasticloadbalancing.amazonaws.com"
        }
      }
    }
  ]
}

Permissions and purpose:
1. eks:* - To create AWS managed EKS cluster in the AWS account.

2. ec2:* - To create AWS VPC to host the EKS cluster and further create EC2 resources to attach to EKS cluster.

3. autoscaling:* - To setup auto-scaling policies for your workload.

4. acm:* - To setup auto-renewing/AWS-managed ssl certificates.

5. s3:* - To setup encrypted S3 buckets to save data backups.

6. iam:some - To create roles and policies to create/operate/run the EKS cluster, attach EC2 nodes or ALB to the EKS cluster in the AWS account. We don't need permissions to create new users or new credentials within the AWS account.

  1. Click "Next".

  2. Give the policy a suitable name and description.

  3. Click on the "Create policy" button to create a new IAM policy.

Create a new IAM user with the IAM policy​

  1. After creating the IAM policy, naviagte back to IAM console and click on "Users" from the navigation pane on the left side to access the IAM Users page.

  2. Click on the "Create user" button located at the top right corner to start creating a new IAM user.

  3. Enter user name for the new IAM user
    Leave the "Provide user access to the AWS Management Console" checkbox unchecked. AWS console access is not required.

  4. Click on "Next".

  5. Under "Permissions options" section, select "Attach policies directly" and search by the policy name and select the policy you just created from the list.

  6. Click on the "Next: Review" button.

  7. Review the user details and the attached policies. Click on the "Create user" button to create the IAM user with the specified policy attached.

Create security credentials for the new IAM user​

  1. After creating the user, select the user from the list on the IAM Users page.

  2. In the "Security credentials" tab, scroll down to the "Access keys" section.

  3. Click on the "Create access key" button.

  4. Once the access key is created, note down the "Access key ID" and "Secret access key". This is the only time you will be able to view the secret access key. Ensure to securely store it as it will not be visible again.

Did this answer your question?