The platform assumes that an Authorizer fulfills these requirements:
- They have the basic privileges required to make Reserved Instance purchases.
- They can receive a Secure Temporary Token that will allow the platform to execute the purchase on their behalf.
If you want to purchase RIs for only specific accounts, you can apply a filter for that account in your purchase quote. When you execute the quote, a confirmation email is sent to the Authorizer, who must provide an Access Key and Secret Key for each account.
Ensure that the Authorizer has sufficient privileges to at least purchase RIs within your accounts.
-
Login to the AWS Console. Select Services > IAM and select Users from the left menu.
-
Select the user who you want to assign as Authorizer. In the user management console, click the Permissions tab.
-
Expand the user policy to which you want to add Authorizer privileges and click View and edit policy.
-
In the Policy Document tab, click Edit and add these privileges.
The ability to purchase RIs.
{ "Effect": "Allow", "Action": [ "ec2:DescribeReservedInstancesOfferings", "ec2:PurchaseReservedInstancesOffering" ], "Resource": "*" }
The ability to receive the temporary token, allowing the platform to execute the action on behalf of the user.
{ "Effect": "Allow", "Action": "sts:GetFederationToken", "Resource": "*" }
-
Click Validate Policy to test the changes.