This guide will walk you through creating a new user in your AWS account specifically for cloud cost analysis. This user will have secure, read-only access to your AWS environment with special permissions for cost tools.
What we’ll do:
- Assign the Role to the User.
- Create a new IAM User for the Helyx Optimiser.
- Create a custom IAM Policy that defines the precise permissions.
- Create an IAM Role and attach the policy to it.
Step 1: Create the IAM User
- Log in to your AWS Management Console.
- In the search bar at the top, type IAM and select it from the results.
- In the left-hand menu, click Users.
- Click the orange Create user button.
- User name: Enter
HelyxOptimiser - Select AWS credential type: Check the box for Provide user access to the AWS Management Console. Then, select I want to create a custom password.
- Console password: <<HELYX WILL SEND THIS TO YOU>>
- Uncheck the box that says “User must create a new password at next sign-in”. We want the password to stay the same.
- Click Next.
Step 2: Create the Custom Permissions Policy
We will now create a policy that grants the required read-only and cost-specific access.
- In the IAM menu on the left, click Policies.
- Click the Create policy button.
- Click on the JSON tab. You will see some default text. Delete it and paste the policy below.
- Click Next.
- Policy name: Enter HelyxCostExplorerAccess.
- Description: You can add a description like “Grants access to Cost Explorer and Cost & Usage Reports for Helyx Optimiser”.
- Review the policy and click Create policy.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "CostAndUsageReportAccess",
"Effect": "Allow",
"Action": [
"aws-portal:ViewBilling",
"aws-portal:ViewUsage",
"ce:DescribeReport",
"ce:Get*",
"ce:List*",
"cur:DescribeReportDefinitions"
],
"Resource": "*"
}
]
}Step 3: Create a Role and Attach the Policies
Using a Role is a best practice for assigning permissions.
- In the IAM menu on the left, click Roles.
- Click Create role.
- Trusted entity type: Select AWS service.
- Use case: Select EC2. Click Next.
- On the Add permissions page, you will attach two policies:
- Search for
ReadOnlyAccess. Check the box for the policy named ReadOnlyAccess (it has the ARNarn:aws:iam::aws:policy/ReadOnlyAccess). - Search for
HelyxCostExplorerAccess. Check the box for the custom policy you just created.
- Search for
- Click Next.
- Role name: Enter
HelyxCostAnalysisRole. - (Optional but recommended) Scroll down to the Tags section. Add a tag:
- Key:
owner - Value:
HELYX
- Key:
- Click Create role.
Step 4: Assign the Role to the User
Now, let’s connect the user to the role.
- Go back to IAM > Users and click on the
HelyxOptimiseruser you created. - Click on the Permissions tab.
- In the “Permissions policies” section, click Add permissions.
- Choose Attach policies directly.
- We need to create an inline policy to grant the user permission to assume the role. Click the JSON tab and paste the following policy, replacing
YOUR-AWS-ACCOUNT-IDwith your actual 12-digit AWS account number. - Click Next.
- Policy name: Enter
AssumeHelyxCostAnalysisRole. - Click Create policy.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::YOUR-AWS-ACCOUNT-ID:role/HelyxCostAnalysisRole"
}
]
}Step 5: Final Step – How to Log In
The user is now set up! To log in as this user:
- Go to the AWS sign-in page. The URL is specific to your account and will look like this:
https://YOUR-AWS-ACCOUNT-ID.signin.aws.amazon.com/console
You can find this unique link in the IAM dashboard under “IAM users sign-in link”. - Enter the Username:
HelyxOptimiser. - Enter the Password:
<<USE PASSWORD GIVEN>>
Important: The first time the user logs in, they will need to switch to the role to get the permissions.
- After signing in, in the top-right navigation bar, click on your username
HelyxOptimiser. - A dropdown will appear. Click Switch role.
- Account: Enter your 12-digit AWS Account ID.
- Role: Enter
HelyxCostAnalysisRole(the name of the role you created). - Display color: You can pick a color like blue (optional).
- Display name: Enter
Helyx Cost Analysis(optional). - Click Switch Role.
You are now logged in with the correct permissions for the Helyx Optimiser to perform cloud cost analysis!
Automated Setup with AWS CloudFormation
Use this simplified CloudFormation template to set everything up automatically.
- Log in to the AWS CloudFormation console.
- Click Create stack > With new resources (standard).
- Under “Specify template”, select Upload a template file. Upload the file you save from the code below.
- Click Next.
- Stack name: Enter
HelyxCostAnalysisSetup. - Click Next, click Next again, and finally click Create stack.
# Save this as a .yaml file, e.g., helyx-cost-setup-simple.yaml
AWSTemplateFormatVersion: '2010-09-09'
Description: 'Creates IAM User, Role, and Policy for Helyx Optimiser Cost Analysis using AWS ReadOnlyAccess'
Parameters:
Username:
Type: String
Default: HelyxOptimiser
Description: The name for the IAM User.
ConsolePassword:
Type: String
Default: <<GIVEN TO CLIENT>>
NoEcho: true
Description: The console password for the IAM User.
Resources:
# 1. Create the IAM User
HelyxUser:
Type: AWS::IAM::User
Properties:
UserName: !Ref Username
LoginProfile:
Password: !Ref ConsolePassword
PasswordResetRequired: false
Tags:
- Key: owner
Value: HELYX
# 2. Create the Custom Cost Policy (only the cost-specific actions)
HelyxCostExplorerPolicy:
Type: AWS::IAM::ManagedPolicy
Properties:
ManagedPolicyName: HelyxCostExplorerAccess
PolicyDocument:
Version: '2012-10-17'
Statement:
- Sid: CostAndUsageReportAccess
Effect: Allow
Action:
- "aws-portal:ViewBilling"
- "aws-portal:ViewUsage"
- "ce:DescribeReport"
- "ce:Get*"
- "ce:List*"
- "cur:DescribeReportDefinitions"
Resource: "*"
# 3. Create the IAM Role and attach both policies
HelyxCostAnalysisRole:
Type: AWS::IAM::Role
Properties:
RoleName: HelyxCostAnalysisRole
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service: ec2.amazonaws.com
Action: sts:AssumeRole
ManagedPolicyArns:
- arn:aws:iam::aws:policy/ReadOnlyAccess # Built-in AWS Policy
- !Ref HelyxCostExplorerPolicy # Our Custom Policy
Tags:
- Key: owner
Value: HELYX
# 4. Create an Inline Policy for the User to Assume the Role
UserAssumeRolePolicy:
Type: AWS::IAM::Policy
Properties:
PolicyName: AssumeHelyxCostAnalysisRole
Users:
- !Ref HelyxUser
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action: sts:AssumeRole
Resource: !GetAtt HelyxCostAnalysisRole.Arn
Outputs:
IAMUserName:
Description: The name of the created IAM User for Helyx.
Value: !Ref HelyxUser
SignInURL:
Description: The URL for the Helyx user to sign in to the console.
Value: !Sub 'https://${AWS::AccountId}.signin.aws.amazon.com/console'
RoleARN:
Description: The ARN of the Role the user must switch to.
Value: !GetAtt HelyxCostAnalysisRole.Arn
Leave a Reply