Obtain AWS credentials

1 Obtain credentials for an AWS standard or reseller account
- 1.1 Manage credentials
- 1.2 Credentials file format
2 AWS Policy examples
3 Obtain billing-only credentials for customers of AWS resellers

This document describes:

How to obtain user credentials from an AWS standard or reseller account
Example AWS permissions to use compute and billing features in Abiquo
How to obtain user credentials for the customer of a reseller account

For required configuration of billing features, please see:

This is a general guide to AWS credentials but AWS functionality may vary between accounts and change at any time. If you have any doubts, please check the AWS documentation.

You may require separate credentials for some groups of regions, such as regions in China.

Obtain credentials for an AWS standard or reseller account

This section describes how to create a new user and obtain credentials for an AWS standard or reseller account. For reseller customers, see the section below.

An AWS IAM user for Abiquo:
- Requires programmatic access
- Does not require a password for login or MFA.

To obtain AWS access, you will need to assign a group and/or access policy to your user, as described in the sections below. If you already have a group and/or access policy, you can use them again.

AWS credentials are an Access Key ID and Secret Access Key that allow access the AWS APIs.

Before you begin:

Check the access policy examples in the sections below with your Security Administrator

To create a user in a new group with a new access policy, do these steps.

Open the AWS console
On the top left menu, go to Services → IAM
On the left sidebar, go to Users
Click Add user
1. Enter the User name
2. Select Programmatic access
3. Click Next: Permissions
Under Add user to group, select a group or click Create group.
To create a group do these steps:
1. Enter the Group name
2. Select existing policies, or click Create policy
3. In the Create policy section, go to JSON, and enter your access policy, as provided by your Security Administrator. See below for example policies
4. Click Review policy
5. Enter the Name and Description, check the resource access, and click Create policy
Go back to the previous browser tab with the Create group dialog open
1. Click Refresh
2. If you can't see the policy, search and filter by Name to display it, and select the policy
3. Click Create group
On the Add user to group page, select the group
Click Next: Tags and enter the Key and Value of tags as required
Click Next: Review
Click Create user
To obtain user credentials, do these steps.
1. Copy the Access key ID
2. Click Show and copy the Secret access key.
3. To download a credentials file, click Download .csv.
  By default the file will be saved as credentials.csv in your Downloads folder.
4. Close the Credentials window

Manage credentials

For an existing user, to manage access keys.

From IAM → Users, click on the user name
Go to Security Credentials
Create, deactivate, and delete access keys as required

Credentials file format

This is an example of the format of the credentials.csv file when you open it in a text editor:

User Name,Access Key Id,Secret Access Key
"MJSB",AKIAJHWYJYNWV2RAAAAA,YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY

The Access Key ID is the string of characters before the comma, which is AKIAJHWYJYNWV2RAAAAA in the above example.
The Secret Access Key for the Access Key ID is the string of characters after the comma, which is YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY in the above example.

AWS Policy examples

These policies are examples only. Please check your policies with your system administrator.

Example compute policy

This is an example of a policy that will let you work with the compute features in AWS.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "ec2:*",
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": "elasticloadbalancing:*",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": "cloudwatch:*",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:DeleteServerCertificate",
                "iam:UploadServerCertificate",
                "iam:ListServerCertificates",
                "iam:GetServerCertificate"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": "autoscaling:*",
            "Resource": "*"
        }
    ]
}

Standard account pricing and billing policy

The following policy lets the user manage pricing and billing for a standard account that is not a partner organization.

The “Sids” for specific actions are as follows.

Pricing requires: Pricing
To run the billing check tool requires: BillingCheckTool
To run the billing process requires: Billing

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "Pricing",
			"Effect": "Allow",
			"Action": [
				"pricing:*"
			],
			"Resource": [
				"*"
			]
		},
		{
			"Sid": "BillingCheckTool",
			"Effect": "Allow",
			"Action": [
				"ce:GetCostAndUsage"
				"organizations:ListAccounts",
				"organizations:ListRoots"
			],
			"Resource": [
				"*"
			]
		},
		{
			"Sid": "Billing",
			"Effect": "Allow",
			"Action": [
				"s3:GetObject",
				"s3:ListBucket"
			],
			"Resource": [
				"arn:aws:s3:::billingprogramatic",
				"arn:aws:s3:::billingprogramatic/*"
			]
		}
	]
}

Reseller pricing and billing policy

The following policy lets the user manage pricing and billing for an AWS partner organization.

The “Sids” for specific actions are as follows.

Pricing requires: Pricing
To add billing only credentials requires: BillingOnlyCredentials
To run the billing check tool requires: BillingCheckTool
To run the billing process requires: Billing

Policy to create an account using Abiquo

To use the Create account feature in Abiquo, add this statement to your AWS account policy.

Policy to create an account in an organizational unit using Abiquo

To use the Create account feature and select or create an organizational unit in which to create the account, add this statement to your AWS account policy, to replace the basic Create account policy.

Obtain billing-only credentials for customers of AWS resellers

For the customer of a reseller account, the AWS credentials are the customer Account ID.

In AWS, go to the customer account, NOT the main AWS partner account
Obtain the customer’s Account ID

Add this customer credential to a customer enterprise on the Public tab and select the Billing only checkbox