Breadcrumbs

Step-3 : Create Role / IAM User

To carry out role-based steps, a Tenant ID is required. Please consult your partner company to share tenant id before moving forward.

Mavvrik supports both types of AWS authentications,

  1. Role Based

  2. Access/Secret Key Based

Role-based access is generally considered to be more secure than user-based access, as it allows organizations to control access to resources and functions based on defined roles and responsibilities. We recommend using roles over individual users whenever possible

Creating Role

  1. Go to IAM from the Services tab.

    image_1_iam.png

  2. Click on Roles from the left menu options and Click on Create Role

    image-20220705-045836.png

  3. Select AWS Accounts and select Another AWS Account from an AWS Account tab

    image-20230918-103203.png


    1. specify Account ID as 911403356698(This is the Account Id of Mavvrik which is universal)

    2. Check on options Require external ID and enter the tenant id(Please ask your partner to share tenant-id)

  4. Click Next, don’t select any permissions

  5. Click Next

  6. Enter the Role Name of your choice and Click Create Role.

    image-20230918-103412.png


  7. New Role should be created and displayed in the list.

    image-20220705-050515.png

  8. Click on the newly created Role which is navigated to the below page

    image-20220705-050602.png

  9. Click on Add Permissions -> Create Inline Policy under Permissions Tab & Click on JSON tab & replace existing JSON with the following JSON

    1. JSON

      JSON
      { 
   "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::<BUCKET_NAME>",
                "arn:aws:s3:::<BUCKET_NAME>/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "organizations:ListAccounts",
                "organizations:DescribeAccount"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ce:Get*",
                "ce:Desc*",
                "ce:List*"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:GenerateCredentialReport",
                "iam:GenerateServiceLastAccessedDetails",
                "iam:Get*",
                "iam:List*",
                "iam:SimulateCustomPolicy",
                "iam:SimulatePrincipalPolicy"
            ],
            "Resource": "*"
        },
        {
     "Effect": "Allow",
     "Action": [
                "cur:Get*",
                "cur:ValidateReportDestination",
                "cur:Describe*"
      ],
     "Resource": "*"
}
    ]
}

    2. And replace <BUCKET_NAME> on lines 11 & 12 with the name of the bucket captured in Step-1 : Enable CUR & Cost Explorer

    3. Finally, your window should look like the following image. Note that, the bucket name in the image is for reference, it shouldn’t be copied as is, instead you should put your own bucket name

  10. image-20230531-050344.png

    Review Policy, Name it & Click Create policy

    image-20220722-084626.png

  11. Capture ARN of the role we created from the summary section for the next steps.

image-20230918-104229.png


Creating IAM User & Access/Secret Keys

This step is not required if you have created a Role.

  1. Go to IAM from the Services tab & navigate to Users tab

    image-20230530-133428.png

  2. Click Add Users, enter name of your choice

    image-20230530-133602.png

  3. Skip permissions for now. Keep doing Next & finally Create User.

  4. Open the User you have created & click on Security credentials.

    image-20230530-133852.png

  5. Scroll down & click on Create access key

    image-20230530-134026.png


  6. Select Others & click on next

    image-20230530-134244.png

  7. Click on Create Access Key

  8. Save Access key ID and Secret access key for later use.

  9. Click Done

10. Navigate to the details of the user we just created

image-20220705-051039.png

  1. Click Add Inline Policy under Permissions Tab & Click on JSON tab & replace existing JSON with the following JSON

    1. JSON

      JSON
      { 
   "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::<BUCKET_NAME>",
                "arn:aws:s3:::<BUCKET_NAME>/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "organizations:ListAccounts",
                "organizations:DescribeAccount"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ce:Get*",
                "ce:Desc*",
                "ce:List*"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:GenerateCredentialReport",
                "iam:GenerateServiceLastAccessedDetails",
                "iam:Get*",
                "iam:List*",
                "iam:SimulateCustomPolicy",
                "iam:SimulatePrincipalPolicy"
            ],
            "Resource": "*"
        },
        {
     "Effect": "Allow",
     "Action": [
                "cur:Get*",
                "cur:ValidateReportDestination",
                "cur:Describe*"
      ],
     "Resource": "*"
}
    ]
}

    2. And replace <BUCKET_NAME> on lines 11 & 12 with the name of the bucket captured in Step-1 : Enable CUR & Cost Explorer

    3. Finally, your window should look like the following image. Note that, the bucket name in the image is for reference, it shouldn’t be copied as is, instead you should put your own bucket name

  2. image-20230531-050344.png

    Review the policy & click create

    image-20220722-084759.png