0

I do not want to create an IAM user: I am logged in as root in AWS console.

How can I create a role such that my RDS instance stops on budgeted amount?

I do always get the error when I configure a budgeted RDS action:

Budgets permission required to assume [ExecutionRole: arn:aws:iam::351811911299:role/aws-service-role/trustedadvisor.amazonaws.com/AWSServiceRoleForTrustedAdvisor]. Please follow the instruction to grant assumeRole access to [Service Principal: budgets.amazonaws.com].
Leder
  • 101
  • 4
  • this is the third place I post my question: no crosspost! plz do not delete unanswered! – Leder Jun 28 '21 at 03:43
  • 1
    You create a role with appropriate permissions. Based on your question though I suspect you are a beginner with AWS, as no-one with experience will use the root user. Suggest you get some training in AWS basics, then in AWS security, if you want to continue to use AWS. To answer your question have a read of this blog post https://aws.amazon.com/blogs/aws-cost-management/get-started-with-aws-budgets-actions/ – Tim Jun 28 '21 at 07:56
  • thanx for the link. BTW I am proficient in S3 and RDS: the management console is there to support the user not the other way round! Do you have a link for IAM creation with full rights? – Leder Jun 29 '21 at 09:34
  • 1
    Create an IAM user and attach the administrator policy - easy :) The AWS security training is really interesting, even after years using AWS and having architect pro certification I learned a lot that has been really practical especially around IAM. – Tim Jun 29 '21 at 09:45
  • thank you for the heads up: though the budgeting answer from support was not that easy... – Leder Jun 29 '21 at 19:00
  • AWS is a complex enterprise environment, not a simple web host, anyone using it really needs to be trained as there are gotchas and security issues. In AWS terms the answer from support was trivial, it'd take me about 2 minutes, but I've been doing AWS for many years. – Tim Jun 29 '21 at 19:14
  • OK: I learned the basic concepts. Budgets seem to be more useful than cloudwatch and service quotas... – Leder Jul 01 '21 at 02:55

1 Answers1

0

I have answer from AWS support:

You can follow these steps to create the correct policy first:

  1. Go to the IAM Dashboard and to the Policies section: https://console.aws.amazon.com/iam/home?region=us-east-2#/policies
  2. Click on "Create Policy"
  3. In the Visual Editor section, select Service as RDS >> Actions as All Actions >> Resources as All Resources
  4. Click on Next
  5. Add Tags if needed, then on Next: Review
  6. Give a Policy name
  7. Click on Create Policy

This created the needed policy for the Budget action, now let's go to the IAM Role Creation.

  1. Go to the IAM Dashboard and to the Roles section: https://console.aws.amazon.com/iam/home?region=us-east-2#/roles
  2. Click on "Create Role"
  3. Under the AWS Services section, select "Budgets"
  4. Click on Next: Permissions
  5. Find the policy with that was created, with the steps mentioned above, with the name >> Next
  6. Add Tags if needed, then on Next: Review
  7. Give a name for the Role
  8. Click on Create Role

You can refer to these public documentations:

  1. To create IAM policy: https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-create-and-attach-iam-policy.html
  2. To create IAM role: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-service.html#roles-creatingrole-service-console

You now have the IAM Role needed for the Budget actions.

Upon checking the error you are receiving: Budgets permission required to assume [ExecutionRole: arn:aws:iam: 351811911299 :role/aws-service-role/trustedadvisor.amazonaws.com/AWSServiceRoleForTrustedAdvisor]. Please follow the instruction to grant assumeRole access to [Service Principal: budgets.amazonaws.com].

It seems that you are trying to add a different role for the Budget action. Now that you have the correct IAM role and policy created, you can follow these steps to create a Budget action:

  1. Go to the Budgets section of the Billing Dashboard: https://console.aws.amazon.com/billing/home?region=us-east-2#/budgets
  2. Please follow this documentation to add the previously created policy to a new budget: https://aws.amazon.com/blogs/aws-cost-management/get-started-with-aws-budgets-actions/
Michael Hampton
  • 244,070
  • 43
  • 506
  • 972
Leder
  • 101
  • 4