cafe.io
sign in start free

documentation

Using a Read-Only AWS IAM User

Create a least-privilege IAM user that can call ec2:DescribeInstances, then connect it to cafe.io so we can surface EC2 metadata without write access.

prerequisites

  • Administrator access to the AWS account that owns the EC2 instances you want cafe.io to list.
  • A cafe.io team with permission to manage cloud providers.
  • A secure password manager or secrets vault to store AWS access keys.

1. sign in to aws console

  1. Visit console.aws.amazon.com and sign in with an administrator credential.
  2. In the AWS search bar, type IAM and open the IAM service dashboard.

2. create a least-privilege policy

  1. In IAM, navigate to PoliciesCreate policy.
  2. Choose the JSON tab and replace the sample policy with:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "CafeioDescribeInstancesOnly",
      "Effect": "Allow",
      "Action": "ec2:DescribeInstances",
      "Resource": "*"
    }
  ]
}
  1. (Optional) Add tags for tracking or cost allocation.
  2. Choose Next, give the policy a recognizable name such as CafeioPolicy, review, then create the policy.

3. create an iam user & attach the policy

  1. In IAM, go to UsersCreate user.
  2. Enter a descriptive user name such as cafeio-readonly-user and click Next.
  3. Choose Attach policies directly and select the policy from step 2.
  4. Complete the remaining prompts (tags optional) and create the user.

4. generate access keys

  1. From the success screen, choose Create access key, or open the new user and select the Security credentials tab.
  2. Select Third-party service as the use case.
  3. Acknowledge the secret key storage warning and continue.
  4. Download the .csv file or copy the Access key ID and Secret access key immediately; the secret will not be displayed again.

5. connect the credentials to cafe.io

  1. Sign in to Remmey and open your team.
  2. Select Providers in the sidebar, then choose Connect provider.
  3. Set Provider type to AWS.
  4. Paste the IAM user’s Access key ID into the access key field and the Secret access key into the secret key field.
  5. Add a descriptive name (for example, the AWS account alias or region) and an optional description.
  6. Select Connect provider to save. cafe.io will now call DescribeInstances with these credentials.