Setting up an AWS IAM user

Perform the following tasks to set up an IAM user for use with Turbonomic.

For any deployment of Turbonomic, you can set up an IAM user that the AWS target uses to connect to one of the following accounts:

  • Management account for a multi-account AWS target

    If you want an AWS target in Turbonomic to manage multiple accounts, follow the instructions in this topic to set up an IAM user for the management account.

    Note:

    For Turbonomic SaaS deployments, you can also set up an IAM role. If you prefer an IAM role, skip this topic and follow the instructions in this topic.

    For the member accounts, you need to set up an IAM role called cross-account IAM role.

  • Management or member account for a single-account AWS target

    If you want an AWS target in Turbonomic to manage only a single account (either a management or member account), follow the instructions in this topic to set up an IAM user for the account.

    Note:

    For Turbonomic SaaS deployments, you can also set up an IAM role. If you prefer an IAM role, skip this topic and follow the instructions in this topic.

Guidelines

  • Turbonomic recommends setting up an IAM user group that has the necessary permissions and then adding the IAM user to that group.

  • If the IAM user that you are setting up also grants Turbonomic access to your billing data, the IAM user requires access to the S3 bucket that contains your data export. Billing access is not required.

    Turbonomic uses a data export stored in an S3 bucket to visualize historical cloud expenses, and discover discounts and billing family relationships.

    Note:

    You will set up a data export in a later task.

Task overview

To set up an IAM user, perform the following tasks in the AWS Management Console:

  1. Create IAM policies that specify the permissions that Turbonomic needs to connect to AWS.

  2. Create an IAM user and then assign the policies that you created to that user.

  3. Generate an access key for the IAM user.

Creating IAM policies

  1. Sign in to the AWS Management Console and open the IAM console.

    https://console.aws.amazon.com/iam/

  2. In the navigation pane , choose Policies.

  3. Choose Create policy.

  4. In the Policy editor section, choose JSON.

  5. Download the JSON file that contains the Turbonomic minimum permissions and then copy the permissions to the JSON field.

    The JSON file that you need to download depends on the account that the AWS target manages (see the introduction in this topic for more information), and the operations that are allowed on the workloads in the given account. Choose one of the following JSON files to download.

    Account Turbonomic operations Download link
    Management account for a multi-account AWS target Monitor workloads and automatically execute actions for the workloads Minimum permissions
    Management account for a multi-account AWS target Only monitor workloads. Actions for the workloads are executed in AWS. Minimum permissions
    Management or member account for a single-account AWS target Monitor workloads and automatically execute actions for the workloads Minimum permissions
    Management or member account for a single-account AWS target Only monitor workloads. Actions for the workloads are executed in AWS. Minimum permissions

    To retrieve billing data in your data export, use the minimum permissions for billing data monitoring.

  6. Resolve any security warnings, errors, or general warnings generated during policy validation, and then choose Next.

  7. In the Review and create page, type a Policy Name and a Description (optional) for the policy that you are creating.

  8. Choose Create policy.

Creating an IAM user

  1. In the navigation pane of the IAM console, select Users and then choose Create user.

  2. Specify your preferred user name and then choose Next.

  3. Select Attach policies directly, select the policy or policies that you created in the previous task, and then choose Next.

  4. Review the user details and then choose Create user.

Generating an access key for the IAM user

  1. In the navigation pane of the IAM console, select Users and then choose the user that you created in the previous task.

  2. Choose Security credentials, scroll to the Access keys section, and then choose Create access key.

  3. Choose Third-party service and then choose Next.

  4. (Optional) Set a description tag value to describe the purpose of the access key.

  5. Choose Create access key.

  6. Record the access key ID and secret access key. You will need this information later when you add an AWS target in the Turbonomic user interface.

Next step

If the IAM user that you just set up is for:

  • The management account in a multi-account target, set up a cross-account IAM role for the member accounts. For details see this topic.

  • A management or member account in a single-account target, you do not need to set up a cross-account IAM role. The next step is to set up a data export for use with the AWS Billing target. For details, see this topic.