Skip to main content
AWS credentials let Ankra read your account to estimate the infrastructure cost of your clusters and sync cloud inventory, and to provision and manage Amazon EKS. For cost and inventory, access is read-only and cost-scoped - Ankra never provisions or modifies AWS resources. You can connect in one of two ways:

IAM role (recommended)

Ankra provides a CloudFormation “launch stack” link that creates a read-only role Ankra can assume, secured with a unique external ID. No long-lived keys to store or rotate.

Access keys

Provide an access key ID and secret for an IAM user. Simpler to set up, but you own key rotation.
Provisioning EKS requires permissions for EKS, EC2, and IAM role management - broader than the read-only cost scope. See Amazon EKS for details.

Creating an AWS Credential (IAM role)

1

Start onboarding

Go to CredentialsAddAWS and choose the IAM role method. Ankra generates a unique external ID and a Launch stack link.
2

Launch the CloudFormation stack

Follow the launch-stack link into your AWS account. The template creates a read-only role scoped for cost, with a trust policy that only allows Ankra’s principal to assume it using your external ID.
3

Save the role

Copy the created role ARN back into Ankra and save. Ankra validates that it can assume the role before storing the credential.

Creating an AWS Credential (access keys)

1

Create an IAM user

In AWS IAM, create a user (or use an existing one) with permissions sufficient for your use - read-only for cost/inventory (for example the AWS-managed ReadOnlyAccess/Billing policies), or EKS/EC2/IAM permissions to provision EKS.
2

Add to Ankra

Go to CredentialsAddAWSAccess keys, enter a name, and paste the access key ID and secret access key.
Use the IAM role method where you can - it avoids storing long-lived secrets and is scoped and revocable on the AWS side by deleting the CloudFormation stack.