You are not required to create a new user and insert the proper policy if you do not want to, but it is possible.
If you wanted to create a consistent standalone IAM user within each account that will have the privileges to Purchase Reservations and receive the Temporary Secure Token, then create the user and enter in this policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:DescribeReservedInstancesOfferings",
"ec2:PurchaseReservedInstancesOffering",
"ec2:ModifyReservedInstances",
"rds:DescribeReservedDBInstancesOfferings",
"rds:PurchaseReservedDBInstancesOffering",
"sts:GetFederationToken"
],
"Resource": "*"
}
]
}
Make sure you validate the policy after editing it.
This policy, with the corresponding Access and Secret Key for the user, gives the platform the ability to look into that account, get the token, and execute the purchase within a 15-30 minute interval.
This policy also includes the ability to modify reservations. This way, you have a CloudHealth RI Management User. Save the Access Key and Secret Key so that you can enter the credentials in whenever you want to execute purchase actions.