> For the complete documentation index, see [llms.txt](https://spaceone-dev.gitbook.io/user-guide/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://spaceone-dev.gitbook.io/user-guide/identity/service-account/service-account-policy-management.md). # (AWS) Service Account Policy Management ## Service Account Policy Before create Service Account, User can modify your existing API policy. This will guarantee isolation your resource from other non power-scheduled items. Also prevent malfunction from mis configuration of power scheduling. To Create API for each use case. follow directions below. * [General Collector](/user-guide/identity/service-account/service-account-policy-management.md#how-to-create-readonly-policy-in-aws) * [Power Scheduler Service](/user-guide/identity/service-account/service-account-policy-management.md#powerscheduler) * [Personal Health Dashboard/Trusted Advisor Collector](/user-guide/identity/service-account/service-account-policy-management.md#aws-personal-health-dashboard-trusted-advisor) In case of internal regulations, create a policy below then attach when creating API user. * [Overall IAM Policy Superset](/user-guide/identity/service-account/service-account-policy-management.md#overall-iam-policy-superset) ## General Collector Collector do not need to have authority other than read permission. So we strongly recommend to restrict its permission to **read only access**. Otherwise, User can add more restrictions like regional and resource base. One of the useful example is to restrict its rights within region. In order to experience powerful function of SpaceONE collectors. Use the managed ***ReadOnly policy*** is preferred. **Step 1. Log in AWS Console > IAM** Go to IAM > Users > Add user ![](/files/-MT4d5tpm8MqTjWLu017) **Step 2. Set User Details** Enter ***User name***, Set access type to ***Programmatic access*** ![](/files/-MT4dpGR4o82a3pLd8hS) **Step 3. Set API Permission** Set Permission to ReadOnlyAccess(Managed Policy) Click ***Attach existing policies directly*** . Enter ***readonly*** keyword in policy search bar. Select ***ReadOnlyAccess*** managed policy as below. ![](/files/-MT4esKyQKD1-SfSEoyP) **Step 4. Add tags** ***You can skip this process*** and move to next. SpaceONE collector does not related to tags in IAM. ![](/files/-MT4gp9W9NlePJ4ZbYmQ) ***Step 5. Review*** Check the details you added. Then click ***Create users*** right down of page ![](/files/-MT4hEy_E607nBNrLUI1) ***Step 6. Copy Key Pair*** IAM key pair created, ***Be sure to copy the Access key ID/Secret access key and keep it safely***. If you skip to copy, there is no chance to have it again(Do from step 1 again). ![](/files/-MT4iAI1_vON98UQRguy) ## PowerScheduler Suggested IAM policy for each cloud provider to use ***SpaceONE Power Scheduler*** service are below. **Step 1. Create Policy** Go to IAM > Policies > Create policy ![](/files/-MT4yXlnLe_ezqSa4Fp2) **Step 2. Attach Policy Definitions** Move to JSON tab, attach policy definition below. Then click ***Review policy*** {% tabs %} {% tab title="AWS" %} ``` { "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "rds:StartDBCluster", "rds:StopDBCluster", "rds:StartDBInstance", "rds:StopDBInstance", "rds:RebootDBInstance", "ec2:StartInstances", "ec2:StopInstances", "ec2:RebootInstances", "autoscaling:SetDesiredCapacity", "autoscaling:UpdateAutoScalingGroup" ], "Resource": "*" } ] } ``` {% endtab %} {% endtabs %} **Step 3. Review Policy** Enter policy name and description, Then click ***Create policy*** ![](/files/-MT8pYB-50nW928K4gEP) **Step 4. Log in AWS Console > IAM** Go to IAM > Users > Add user ![](/files/-MT4d5tpm8MqTjWLu017) **Step 5. Set User Detail** Enter ***User name***, Set access type to ***Programmatic access*** ![](/files/-MT4dpGR4o82a3pLd8hS) **Step 6. Set API Permission** Add all policies below. They should included to guarantee successful action. * AmazonDynamoDBReadOnlyAccess * AmazonEC2ReadOnlyAccess * AmazonRDSReadOnlyAccess * AutoScalingReadOnlyAccess * **Policy created in step 3** ![](/files/-MT536DUCTlBv_HoL--1) **Step 7. Review** Make sure all the permission from Step 4. included, Then click ***Create user*** ![](/files/-MT53jmuV-aP5ruykJOz) ***Step 8. Copy Key Pair*** IAM key pair created, ***Be sure to copy the Access key ID/Secret access key and keep it safely***. If you skip to copy, there is no chance to have it again(Do from step 1 again). ![](/files/-MT4iAI1_vON98UQRguy) ## AWS Personal Health Dashboard/Trusted Advisor To use aws advanced collector like AWS ***Personal Health Dashboard/Trusted Advisor*** User account support level should be over ***business*** and additional IAM policy need to be attached. **Step 1. Create Policy** Go to IAM > Policies > Create policy ![](/files/-MT4yXlnLe_ezqSa4Fp2) **Step 2. Attach Policy Definitions** Move to JSON tab, attach policy definition below. Then click ***Review policy*** ![](/files/-MT5ATfhSHqvTaek_AVU) ``` { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "support:DescribeAttachment", "support:DescribeCaseAttributes", "support:DescribeCases", "support:DescribeCommunications", "support:DescribeIssueTypes", "support:DescribeServices", "support:DescribeSeverityLevels", "support:DescribeSupportLevel", "support:DescribeTrustedAdvisorCheckRefreshStatuses", "support:DescribeTrustedAdvisorCheckResult", "support:DescribeTrustedAdvisorChecks", "support:DescribeTrustedAdvisorCheckSummaries", "support:SearchForCases" ], "Resource": "*" } ] } ``` **Step 3. Review Policy** Enter name and description. Then click ***Create policy.*** ![](/files/-MT5Am0DqcdyBWrEXMvQ) **Step 4. Log in AWS Console > IAM** Go to IAM > Users > Add user ![](/files/-MT4d5tpm8MqTjWLu017) **Step 5. Set User Detail** Enter ***User name***, Set access type to ***Programmatic access*** ![](/files/-MT4dpGR4o82a3pLd8hS) **Step 6. Set API Permission** Add all policies below. They should included to guarantee successful action. ![](/files/-MT5EhS-OxdxaC_jBtle) **Step 7. Review** Make sure all the permission from Step 4. included, Then click ***Create user*** ![](/files/-MT53jmuV-aP5ruykJOz) ***Step 8. Copy Key Pair*** IAM key pair created, ***Be sure to copy the Access key ID/Secret access key and keep it safely***. If you skip to copy, there is no chance to have it again(Do from step 1 again). ![](/files/-MT4iAI1_vON98UQRguy) ## Overall IAM Policy Superset If user can use managed policy, Refer to policy below. ***Region Code*** in Resource parameter need to be changed. ***AWS Region Code*** or ***\**** character is available. ``` { "Version": "2012-10-17", "Statement": [ { "Sid": "GeneralReadOnlyPolicyForCollectors", "Effect": "Allow", "Resource": "arn:aws:*:{aws region code}:*:*" "Action": [ "acm:Describe*", "acm:Get*", "acm:List*", "acm-pca:Describe*", "acm-pca:Get*", "acm-pca:List*", "apigateway:GET", "autoscaling:Describe*", "autoscaling-plans:Describe*", "autoscaling-plans:GetScalingPlanResourceForecastData", "athena:List*", "athena:Batch*", "athena:Get*", "cassandra:Select", "cloudfront:Get*", "cloudfront:List*", "cloudwatch:Describe*", "cloudwatch:Get*", "cloudwatch:List*", "connect:List*", "connect:Describe*", "connect:GetFederationToken", "directconnect:Describe*", "dynamodb:BatchGet*", "dynamodb:Describe*", "dynamodb:Get*", "dynamodb:List*", "dynamodb:Query", "dynamodb:Scan", "ec2:Describe*", "ec2:Get*", "ec2:SearchTransitGatewayRoutes", "ec2messages:Get*", "ecr:BatchCheck*", "ecr:BatchGet*", "ecr:Describe*", "ecr:Get*", "ecr:List*", "ecs:Describe*", "ecs:List*", "eks:Describe*", "eks:List*", "elasticache:Describe*", "elasticache:List*", "elasticfilesystem:Describe*", "elasticloadbalancing:Describe*", "es:Describe*", "es:List*", "es:Get*", "es:ESHttpGet", "es:ESHttpHead", "health:Describe*", "iam:Generate*", "iam:Get*", "iam:List*", "iam:Simulate*", "kafka:Describe*", "kafka:List*", "kafka:Get*", "lambda:List*", "lambda:Get*", "rds:Describe*", "rds:List*", "rds:Download*", "redshift:Describe*", "redshift:GetReservedNodeExchangeOfferings", "redshift:View*", "route53:Get*", "route53:List*", "route53:Test*", "route53domains:Check*", "route53domains:Get*", "route53domains:List*", "route53domains:View*", "route53resolver:Get*", "route53resolver:List*", "s3:Get*", "s3:List*", "secretsmanager:List*", "secretsmanager:Describe*", "secretsmanager:GetResourcePolicy", "sns:Get*", "sns:List*", "sns:Check*", "sqs:Get*", "sqs:List*", "sqs:Receive*", "storagegateway:Describe*", "storagegateway:List*", "tag:Get*", "trustedadvisor:Describe*", "workspaces:Describe*" ] }, { "Sid": "PowerSchedulerController", "Effect": "Allow", "Resource": [ "arn:aws:ec2:{aws region code}:*:instance/*", "arn:aws:rds:{aws region code}:*:db:*", "arn:aws:rds:{aws region code}:*:cluster:*", "arn:aws:autoscaling:{aws region code}:*:autoScalingGroup:*" ], "Action": [ "rds:StartDBCluster", "rds:StopDBCluster", "rds:StartDBInstance", "rds:StopDBInstance", "rds:RebootDBInstance", "ec2:StartInstances", "ec2:StopInstances", "ec2:RebootInstances", "autoscaling:SetDesiredCapacity", "autoscaling:UpdateAutoScalingGroup" ] }, { "Sid": "PHDandTACollector", "Effect": "Allow", "Resource": "*", "Action": [ "support:DescribeAttachment", "support:DescribeCaseAttributes", "support:DescribeCases", "support:DescribeCommunications", "support:DescribeIssueTypes", "support:DescribeServices", "support:DescribeSeverityLevels", "support:DescribeSupportLevel", "support:DescribeTrustedAdvisorCheckRefreshStatuses", "support:DescribeTrustedAdvisorCheckResult", "support:DescribeTrustedAdvisorChecks", "support:DescribeTrustedAdvisorCheckSummaries", "support:SearchForCases" ] } ] } ``` --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://spaceone-dev.gitbook.io/user-guide/identity/service-account/service-account-policy-management.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.