Getting Started with AWSGiving Caliper Access

Giving Caliper Access to Your CUR

While it can be difficult to provide directions which take into account the precise details of your AWS account configuration, the following directions should work in most cases. You may also use the AWS Management Console, CloudFormation, or any other approach you prefer.

Using the AWS Command Line Interface

Set up credentials

Ensure you are using AWS credentials with access to make changes to the account where your CUR reports are stored.

Create a role trust policy

Save the following file locally as caliper-role-trust-policy.json.

caliper-role-trust-policy.json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": { "AWS": ["881106110173"] },
      "Action": "sts:AssumeRole"
    }
  ]
}

Create a role

From the directory where you saved caliper-role-trust-policy.json, run the following command. (Feel free to give the role a different name.) This grants the Caliper production account the right to access this role.

  • aws iam create-role --role-name caliper-role --assume-role-policy-document file://caliper-role-trust-policy.json

Save the ARN (Amazon Resource Locator)

Make a note of the Role.Arn value returned from the previous command; it should be similar to arn:aws:iam::123456789012:role/caliper-role, using your actual AWS account number and the name of the role you created.

Create a role policy

Save the following file locally as caliper-role-policy.json, replacing <CUR_BUCKET> with the name of the bucket where AWS delivers your CUR data.

This policy includes both the required and recommended permissions to take advantage of all Caliper’s features. Learn more about how Caliper accesses AWS to fine-tune your policy.

caliper-role-policy.json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "s3:ListBucket",
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::<CUR_BUCKET>"
    },
    {
      "Action": "s3:GetObject",
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::<CUR_BUCKET>/*"
    },
    {
      "Action": [
        "organizations:DescribeOrganizationalUnit",
        "organizations:ListAccounts",
        "organizations:ListAccountsForParent",
        "organizations:ListOrganizationalUnitsForParent",
        "organizations:ListParents",
        "organizations:ListRoots"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}

Attach the role policy to the role

From the directory where you saved caliper-role-policy.json, run the following command. Make sure you are using the same role name you used previously. (Feel free to give the policy a different name.) This grants the role the right to access your CUR data.

  • aws iam put-role-policy --role-name caliper-role --policy-name caliper-role-policy --policy-document file://caliper-role-policy.json

(If you wish to update this policy in the future, simply update caliper-role-policy.json and run the same command again.)

Connect Caliper

Share the following details with your Caliper contact:

  • The Role.Arn from above
  • The name of the CUR report
  • The name of the S3 bucket it is delivered to
  • The AWS region the S3 bucket is in
  • The report path prefix you provided when creating the CUR report

Still need help? Email us at support@millworksanalytics.com!

Using Terraform

The following Terraform module will create a caliper-role IAM role. The variable cur_bucket should be set to the name of the S3 bucket containing the CUR report for Caliper. The role and policy names can be changed if desired.

This policy includes both the required and recommended permissions to take advantage of all Caliper’s features. Learn more about how Caliper accesses AWS to fine-tune your policy.

caliper-role.tf
terraform {
  required_version = "~> 1.0"
 
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 5.0"
    }
  }
}
 
variable "cur_bucket" {
  type        = string
  description = "The name of the S3 bucket containing the CUR report for Caliper"
}
 
data "aws_s3_bucket" "cur_bucket" {
  bucket = var.cur_bucket
}
 
data "aws_iam_policy_document" "caliper_role_trust_policy" {
  statement {
    actions = ["sts:AssumeRole"]
 
    principals {
      type        = "AWS"
      identifiers = ["881106110173"]
    }
  }
}
 
resource "aws_iam_role" "caliper_role" {
  name               = "caliper-role"
  assume_role_policy = data.aws_iam_policy_document.caliper_role_trust_policy.json
}
 
data "aws_iam_policy_document" "caliper_role_policy" {
  statement {
    actions   = ["s3:ListBucket"]
    resources = [data.aws_s3_bucket.cur_bucket.arn]
  }
 
  statement {
    actions   = ["s3:GetObject"]
    resources = ["${data.aws_s3_bucket.cur_bucket.arn}/*"]
  }
 
  statement {
    actions = [
      "organizations:DescribeOrganizationalUnit",
      "organizations:ListAccounts",
      "organizations:ListAccountsForParent",
      "organizations:ListOrganizationalUnitsForParent",
      "organizations:ListParents",
      "organizations:ListRoots"
    ]
    resources = ["*"]
  }
}
 
resource "aws_iam_role_policy" "caliper_role_policy" {
  name   = "caliper-role-policy"
  role   = aws_iam_role.caliper_role.id
  policy = data.aws_iam_policy_document.caliper_role_policy.json
}
 
output "caliper_role_arn" {
  value = aws_iam_role.caliper_role.arn
}

After applying the module, share the following details with your Caliper contact:

  • The caliper_role_arn output
  • The name of the CUR report
  • The name of the S3 bucket it is delivered to
  • The AWS region the S3 bucket is in
  • The report path prefix you provided when creating the CUR report

Still need help? Email us at support@millworksanalytics.com!

Configuring Your Cost and Usage ReportRequired and Optional Permissions