IAM role (recommended)
Ankra provides a CloudFormation “launch stack” link that creates a read-only role Ankra can assume, secured with a unique external ID. No long-lived keys to store or rotate.
Access keys
Provide an access key ID and secret for an IAM user. Simpler to set up, but you own key rotation.
Provisioning EKS requires permissions for EKS, EC2, and IAM role management - broader than the read-only cost scope. See Amazon EKS for details.
Creating an AWS Credential (IAM role)
Start onboarding
Go to Credentials → Add → AWS and choose the IAM role method. Ankra generates a unique external ID and a Launch stack link.
Launch the CloudFormation stack
Follow the launch-stack link into your AWS account. The template creates a read-only role scoped for cost, with a trust policy that only allows Ankra’s principal to assume it using your external ID.
Creating an AWS Credential (access keys)
Create an IAM user
In AWS IAM, create a user (or use an existing one) with permissions sufficient for your use - read-only for cost/inventory (for example the AWS-managed
ReadOnlyAccess/Billing policies), or EKS/EC2/IAM permissions to provision EKS.Use the IAM role method where you can - it avoids storing long-lived secrets and is scoped and revocable on the AWS side by deleting the CloudFormation stack.