> ## Documentation Index
> Fetch the complete documentation index at: https://docs.ankra.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# AWS Credentials

> Connect AWS to Ankra with a read-only IAM role or access keys for cloud cost estimates, inventory, and EKS.

AWS credentials let Ankra read your account to estimate the infrastructure cost of your clusters and sync cloud inventory, and to provision and manage [Amazon EKS](/guides/eks-clusters). For cost and inventory, access is **read-only and cost-scoped** - Ankra never provisions or modifies AWS resources. You can connect in one of two ways:

<CardGroup cols={2}>
  <Card title="IAM role (recommended)" icon="shield-halved">
    Ankra provides a CloudFormation "launch stack" link that creates a read-only role Ankra can assume, secured with a unique external ID. No long-lived keys to store or rotate.
  </Card>

  <Card title="Access keys" icon="key">
    Provide an access key ID and secret for an IAM user. Simpler to set up, but you own key rotation.
  </Card>
</CardGroup>

<Note>
  Provisioning **EKS** requires permissions for EKS, EC2, and IAM role management - broader than the read-only cost scope. See [Amazon EKS](/guides/eks-clusters) for details.
</Note>

## Creating an AWS Credential (IAM role)

<Steps>
  <Step title="Start onboarding">
    Go to **Credentials** → **Add** → **AWS** and choose the **IAM role** method. Ankra generates a unique external ID and a **Launch stack** link.
  </Step>

  <Step title="Launch the CloudFormation stack">
    Follow the launch-stack link into your AWS account. The template creates a read-only role scoped for cost, with a trust policy that only allows Ankra's principal to assume it using your external ID.
  </Step>

  <Step title="Save the role">
    Copy the created role ARN back into Ankra and save. Ankra validates that it can assume the role before storing the credential.
  </Step>
</Steps>

## Creating an AWS Credential (access keys)

<Steps>
  <Step title="Create an IAM user">
    In AWS IAM, create a user (or use an existing one) with permissions sufficient for your use - read-only for cost/inventory (for example the AWS-managed `ReadOnlyAccess`/`Billing` policies), or EKS/EC2/IAM permissions to provision EKS.
  </Step>

  <Step title="Add to Ankra">
    Go to **Credentials** → **Add** → **AWS** → **Access keys**, enter a name, and paste the access key ID and secret access key.
  </Step>
</Steps>

<Note>
  Use the IAM role method where you can - it avoids storing long-lived secrets and is scoped and revocable on the AWS side by deleting the CloudFormation stack.
</Note>
