Obtain AWS credentials

 

 

This document describes:

  1. How to obtain user credentials from an AWS standard or reseller account

  2. Example AWS permissions to use compute and billing features in Abiquo

  3. How to obtain user credentials for the customer of a reseller account

For required configuration of billing features, please see:

This is a general guide to AWS credentials but AWS functionality may vary between accounts and change at any time. If you have any doubts, please check the AWS documentation.

You may require separate credentials for some groups of regions, such as regions in China.


Obtain credentials for an AWS standard or reseller account

This section describes how to create a new user and obtain credentials for an AWS standard or reseller account. For reseller customers, see the section below.

  • An AWS IAM user for Abiquo:

    • Requires programmatic access

    • Does not require a password for login or MFA.

To obtain AWS access, you will need to assign a group and/or access policy to your user, as described in the sections below. If you already have a group and/or access policy, you can use them again.

AWS credentials are an Access Key ID and Secret Access Key that allow access the AWS APIs.

Before you begin:

  1. Check the access policy examples in the sections below with your Security Administrator

To create a user in a new group with a new access policy, do these steps. 

  1. Open the AWS console

  2. On the top left menu, go to Services →  IAM

  3. On the left sidebar, go to Users

  4. Click Add user

    1. Enter the User name

    2. Select Programmatic access

    3. Click Next: Permissions

  5. Under Add user to group, select a group or click Create group.
    To create a group do these steps:

    1. Enter the Group name

    2. Select existing policies, or click Create policy

    3. In the Create policy section, go to JSON, and enter your access policy, as provided by your Security Administrator. See below for example policies

    4. Click Review policy

    5. Enter the Name and Description, check the resource access, and click Create policy

  6. Go back to the previous browser tab with the Create group dialog open

    1. Click Refresh

    2. If you can't see the policy, search and filter by Name to display it, and select the policy

    3. Click Create group

  7. On the Add user to group page, select the group

  8. Click Next: Tags and enter the Key and Value of tags as required

  9. Click Next: Review

  10. Click Create user

  11. To obtain user credentials, do these steps.

    1. Copy the Access key ID

    2. Click Show and copy the Secret access key

    3. To download a credentials file, click Download .csv.
      By default the file will be saved as credentials.csv in your Downloads folder. 

    4. Close the Credentials window

 

Manage credentials

For an existing user, to manage access keys.

  1. From IAM → Users, click on the user name

  2. Go to Security Credentials

  3. Create, deactivate, and delete access keys as required

 

Credentials file format

This is an example of the format of the credentials.csv file when you open it in a text editor:

User Name,Access Key Id,Secret Access Key "MJSB",AKIAJHWYJYNWV2RAAAAA,YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY
  1. The Access Key ID is the string of characters before the comma, which is AKIAJHWYJYNWV2RAAAAA in the above example.

  2. The Secret Access Key for the Access Key ID is the string of characters after the comma, which is YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY in the above example.

 


AWS Policy examples

These policies are examples only. Please check your policies with your system administrator.

Example compute policy

This is an example of a policy that will let you work with the compute features in AWS.

 

{ "Version": "2012-10-17", "Statement": [ { "Action": "ec2:*", "Effect": "Allow", "Resource": "*" }, { "Effect": "Allow", "Action": "elasticloadbalancing:*", "Resource": "*" }, { "Effect": "Allow", "Action": "cloudwatch:*", "Resource": "*" }, { "Effect": "Allow", "Action": [ "iam:DeleteServerCertificate", "iam:UploadServerCertificate", "iam:ListServerCertificates", "iam:GetServerCertificate" ], "Resource": "*" }, { "Effect": "Allow", "Action": "autoscaling:*", "Resource": "*" } ] }

 


Standard account pricing and billing policy

The following policy lets the user manage pricing and billing for a standard account that is not a partner organization.

The “Sids” for specific actions are as follows.

  • Pricing requires: Pricing

  • To run the billing check tool requires: BillingCheckTool

  • To run the billing process requires: Billing

 

{ "Version": "2012-10-17", "Statement": [ { "Sid": "Pricing", "Effect": "Allow", "Action": [ "pricing:*" ], "Resource": [ "*" ] }, { "Sid": "BillingCheckTool", "Effect": "Allow", "Action": [ "ce:GetCostAndUsage" "organizations:ListAccounts", "organizations:ListRoots" ], "Resource": [ "*" ] }, { "Sid": "Billing", "Effect": "Allow", "Action": [ "s3:GetObject", "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::billingprogramatic", "arn:aws:s3:::billingprogramatic/*" ] } ] }

 


Reseller pricing and billing policy

The following policy lets the user manage pricing and billing for an AWS partner organization.

The “Sids” for specific actions are as follows.

  • Pricing requires: Pricing

  • To add billing only credentials requires: BillingOnlyCredentials

  • To run the billing check tool requires: BillingCheckTool

  • To run the billing process requires: Billing

 

 


Policy to create an account using Abiquo

To use the Create account feature in Abiquo, add this statement to your AWS account policy.

 


Obtain billing-only credentials for customers of AWS resellers

For the customer of a reseller account, the AWS credentials are the customer Account ID.

  1. In AWS, go to the customer account, NOT the main AWS partner account

  2. Obtain the customer’s Account ID

Add this customer credential to a customer enterprise on the Public tab and select the Billing only checkbox

 

Copyright © 2006-2024, Abiquo Holdings SL. All rights reserved