Documentation
In order to manage machines or create other resources using Managed Studio, you will need to link an active AWS account on your team's settings page.
To create the AWS access key and secret required by Managed Studio to manage your AWS account, you will need to create a new IAM user within AWS. To create a new IAM user, navigate to the IAM servers on your AWS dashboard. Once you are in the IAM dashboard, you my select "Users" from the left-side navigation panel.
Next, click the "Add users" button and choose a user name before clicking "Next".
On the permissions management screen, you may grant full administrator access to the IAM user by selecting the "Attach existing policies directly" option and "AdministratorAccess" policy. Once the policy has been attached, you may click "Next".
Or, if you would prefer to not provide administrator access to Managed Studio, you may instead create a custom permission policy with the specific permissions needed by Managed Studio. To do so, select "Create policy" from the "Permissions policies" panel. Choose the JSON option and provide the permission definition below. Once the policies have been defined, you may attach them to your new IAM user:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "ManagedStudioPolicy", "Effect": "Allow", "Action": [ "account:ListRegions", "cloudwatch:GetMetricData", "cloudwatch:ListMetrics", "ec2:AuthorizeSecurityGroupEgress", "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateSecurityGroup", "ec2:CreateTags", "ec2:DeleteSecurityGroup", "ec2:DeleteTags", "ec2:DescribeInstanceAttribute", "ec2:DescribeInstanceTypes", "ec2:DescribeInstances", "ec2:DescribeLaunchTemplates", "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeTags", "ec2:ModifyInstanceAttribute", "ec2:RebootInstances", "ec2:RevokeSecurityGroupEgress", "ec2:RevokeSecurityGroupIngress", "ec2:RunInstances", "ec2:StartInstances", "ec2:StopInstances", "ec2:TerminateInstances", "events:DeleteRule", "events:DescribeRule", "events:ListRules", "events:ListTargetsByRule", "events:PutRule", "events:PutTargets", "events:RemoveTargets", "events:TagResource", "iam:PassRole", "iam:SimulatePrincipalPolicy", "kms:CreateGrant", "sns:CreateTopic", "sns:DeleteTopic", "sns:GetTopicAttributes", "sns:ListSubscriptionsByTopic", "sns:ListTopics", "sns:SetTopicAttributes", "sns:Subscribe", "sns:TagResource", "sns:Unsubscribe" ], "Resource": "*" } ] }
Changes to required permissions
It's probable this list of permissions will change as we add new features to Managed Studio, which may result in unexpected errors if your policy is not kept up to date.
Once the user is created, you will need to generate a set of access credentials. To do so, click on your newly created user and then select the "Security credentials" tab. Now, in the "Access keys" panel, select "Create access key" followed by "Third-party service". Select the confirmation box and click "Next", followed by "Create access key". Your access key ID and secret will then be displayed. These credentials may then be provided to Managed Studio so that AWS resources may be managed on your behalf. Your linked AWS accounts may be managed via the "Settings" screen of Managed Studio.