IBM Apptio

IBM Apptio

A place for Apptio product users to learn, connect, share and grow together.

 View Only
Back to Library

Apptio - AWS IAM Policy 

Thu October 26, 2017 04:18 PM

♦ Applies to: Apptio Cost Transparency or Apptio Cloud Cost Management running on TBM Studio v12.3.3 or later.

 

The attached document includes the JSON-based IAM policy required when setting up a new role in AWS.  This IAM policy includes various permissions allowing Datalink to access data in your AWS environment that CCM requires to provide analytics around your AWS cost and consumption as well as Trusted Advisor recommendations.  The following figure highlights the various sections within the IAM policy. 

 

NOTE: Only the first section (S3-related) is required for users of the multicloud connector.

 

 

*The Support API is the only option for accessing Trusted Advisor data and requires the support.* permission to function correctly. The screenshot below from AWS documentation illustrates the limitation and for more information, you can refer to AWS documentation available here: Getting Started with AWS Support - AWS Support 


#public cloud
#cloud cost management








#AWS
#TBMStudio
#CostingStandard(CT-Foundation)
#CloudServices
#Costing

Statistics
0 Favorited
1 Views
1 Files
0 Shares
0 Downloads
Attachment(s)
zip file
Apptio_IAM_policy.zip   424 B   1 version
Uploaded - Tue October 29, 2024
 
Download

Comments

Keane Riley
Wed July 10, 2019 02:44 PM

Hey @Randall Tennant, unfortunately I don't have the documentation off the top of my head. This was something one of my customers experienced and @Kyle Yurchak was able to confirm in his personal account that "support:*" creates an error in the AWS IAM policy console:

 

"IAM does not recognize this service.  The service might include a type or might be a previewed or custom service".


#CostingStandard(CT-Foundation)

Apptio Community Member
Tue July 09, 2019 04:01 PM

Hi Keane... would you be able to point me to documentation from AWS that describes this change?  I've done a search and have only found the original posts which stills upport support.* as the policy that will function with Trusted Advisor (see the comments on this page: https://iam.cloudonaut.io/reference/trustedadvisor.html)

 

Many thanks,

Randy


#CostingStandard(CT-Foundation)

Keane Riley
Tue July 09, 2019 03:44 PM

It would appear AWS has updated their keywords and now to access Trusted Advisor you need to use "trustedadvisor:*" instead of "support:*"

 

 

EDIT: to clear any confusion, support:* is required still, the warning I received using it did not affect its permissions. Please disregard my original comment.


#CostingStandard(CT-Foundation)