Step 3: Create an AWS Run As account

You must set up credentials that grant AWS Management Pack access to your AWS resources.

To create an AWS Run As account

1. We recommend that you create an IAM user with the minimum access rights required (for example, the ReadOnlyAccess AWS managed policy works in most cases). You'll need the access keys (access key ID and secret access key) for this user to complete this procedure. For more information, see Administering Access Keys for IAM Users in the IAM User Guide.

   Users need programmatic access if they want to interact with AWS outside of the AWS Management Console. The way to grant programmatic access depends on the type of user that's accessing AWS:

   • If you manage identities in IAM Identity Center, the AWS APIs require a profile, and the AWS Command Line Interface requires a profile or an environment variable.

   • If you have IAM users, the AWS APIs and the AWS Command Line Interface require access keys. Whenever possible, create temporary credentials that consist of an access key ID, a secret access key, and a security token that indicates when the credentials expire.

   To grant users programmatic access, choose one of the following options.

   Which user needs programmatic access?	To	By
   Workforce identity (Users managed in IAM Identity Center)	Use short-term credentials to sign programmatic requests to the AWS CLI or AWS APIs (directly or by using the AWS SDKs).	Following the instructions for the interface that you want to use: For the AWS CLI, follow the instructions in Getting IAM role credentials for CLI access in the AWS IAM Identity Center (successor to AWS Single Sign-On) User Guide. For the AWS APIs, follow the instructions in SSO credentials in the AWS SDKs and Tools Reference Guide.
   IAM	Use short-term credentials to sign programmatic requests to the AWS CLI or AWS APIs (directly or by using the AWS SDKs).	Following the instructions in Using temporary credentials with AWS resources in the IAM User Guide.
   IAM	Use long-term credentials to sign programmatic requests to the AWS CLI or AWS APIs (directly or by using the AWS SDKs). (Not recommended)	Following the instructions in Managing access keys for IAM users in the IAM User Guide.

2. In the Operations console, on the Go menu, click Administration.

3. In the Administration workspace, expand the Run As Configuration node, and then select Accounts.

4. Right-click the Accounts pane, and then click Create Run As Account.

5. In the Create Run As Account Wizard, on the General Properties page, in the Run As account type list, select Basic Authentication.

6. Enter a display name (for example, "My IAM Account") and a description, and then click Next.

   

7. On the Credentials page, enter the access key ID in the Account name box and the secret access key in the Password box, and then click Next.

   

8. On the Distribution Security page, select More secure - I want to manually select the computers to which the credentials will be distributed, and then click Create.

   

9. Click Close.

10. In the list of accounts, select the account that you just created.

11. In the Actions pane, click Properties.

12. In the Properties dialog box, verify that the More Secure option is selected and that all management servers to be used to monitor your AWS resources are listed.