Obtain AWS credentials

1 Obtain credentials for an AWS account
- 1.1 Only use ONE set of AWS keys for each enterprise in each datacenter
2 Create a new user and obtain credentials
3 Example compute policy
4 Allow pricing actions
5 Manage credentials

This document describes how to obtain user credentials from an AWS to use compute features in Abiquo.
For details of how to configure the billing dashboard, see Display cloud provider billing data
For details of how to add credentials for billing only, see

Obtain credentials for an AWS account

To configure the AWS integration in Abiquo, you will need credentials to access your AWS account. Abiquo recommends that you use IAM users, as recommended by AWS.

Note that you may require separate credentials for some groups of regions, for example, regions in China.

AWS credentials are an Access Key ID and Secret Access Key.

Only use ONE set of AWS keys for each enterprise in each datacenter

AWS will allow you to generate two sets of active keys for each IAM user. However, in Abiquo you can only add one set per enterprise. If you try to add another set, for example, using the API, you will get an error message.

Abiquo provides this general guide to AWS credentials but AWS functionality may vary between accounts and change at any time. If you have any doubts, please check the AWS documentation.

Create a new user and obtain credentials

To obtain AWS credentials, you will need to assign a group and/or access policy to your user. If you already have a group and/or access policy, you can use them.

To can create a user in a new group with a new access policy, do these steps.

Open the AWS console
Go to Services (top left menu) → IAM → Users (left sidebar)
Click Add user
1. Enter the User name
2. Select Programmatic access
3. Click Next: Permissions
Under Add user to group, select a group or click Create group.
To create a group do these steps:
1. Enter the Group name
2. Select existing policies, or click Create policy
3. In the Create policy section, go to JSON, and enter your access policy, as provided by your system administrator.
  See below for an example policy
4. Click Review policy
5. Enter the Name and Description, check the resource access, and click Create policy
Go back to the previous browser tab with the Create group dialog open
1. Click Refresh
2. If you can't see the policy, filter by name to display it, and select the policy
3. Click Create group
On the Add user to group page, select the group
Click Next: Tags and enter the Key and Value of tags as required
Click Next: Review
Click Create user
To obtain user credentials, do these steps.
- Copy the Access key ID
- Click Show and copy the Secret access key.
- To download a credentials file, click Download .csv. By default the file will be saved as credentials.csv in your Downloads folder.
- Close the Credentials window.

Example compute policy

This policy is an example only. Please check your policy with your system administrator

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "ec2:*",
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": "elasticloadbalancing:*",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": "cloudwatch:*",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:DeleteServerCertificate",
                "iam:UploadServerCertificate",
                "iam:ListServerCertificates",
                "iam:GetServerCertificate"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": "autoscaling:*",
            "Resource": "*"
        },
        {
            "Action": [
                "pricing:*"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}

Allow pricing actions

To enable the platform to obtain pricing details from the AWS Pricing API, add pricing permissions to your main user's group or create a separate user and group with pricing permissions.

The pricing permissions are included in the following policy, which you could assign to your user's group. These permissions are already included in the previous example.

AWSPriceListServiceFullAccess

To create a new user with only pricing permissions, assign this policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "pricing:*"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}

To add pricing permissions to a policy, include the following JSON code in the "Statement" list:

Don't forget to add a comma before the new policy.

This policy is an example only. Please check your policy with your system administrator

Manage credentials

To manage credentials, do these steps.

From IAM → Users, click on the User Name
Go to Security Credentials
- Here you can manage the access keys. It is not necessary for the IAM user to have a password for login or MFA.

This is an example of the format of the credentials.csv file opened in a text editor:

The Access Key ID is the string of characters before the comma, which is AKIAJHWYJYNWV2RAAAAA in the above example.
The Secret Access Key for the Access Key ID is the string of characters after the comma, which is YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY in the above example.