top of page

Onboard AWS to CloudHiro's Automated commitment management

The following guide will show you how to set up your account to allow Costi to access it is a secure manner.
To do this We will create a separate role for Costi.

Register to CloudHiro

  1. Register here.

  2. Confirm the email you get and login

Option 1 - Use Cloud formation template

  1. Login to your AWS account as an admin.

  2. Creating the CUR (Cost and usage report) - please use this link. If the organization already have a CUR, grant Costi read access to the relevant bucket where the CUR resides. 

  3. Adding permissions to manage Reserved Instances and Saving plans automatically, please add the following roles to Costi. 

  4. Click 'Next'. You will be asked for a parameter called ExternalID. You can find that parameter here.

  5. Mark the "I acknowledge that AWS CloudFormation might create IAM resources with custom names." checkbox at the bottom of the page.

  6. Click the "Create stack" button.

  7. That's it - We are all done!

Option 2 - Set up the Role Manually

Using this manual way you can control what Costi can and can not do. The following steps will show you how.

  1. First, log in to your account and click the account menu in the top right corner.

  2. Click 'My Security Credentials' in the drop-down menu.


  3. Select 'Another AWS account' as the type of the trusted entity.

  4. Enter '545334166883' (CloudHiro account ID) in the 'Account ID' text box.

  5. Mark the 'Require external ID (Best practice when a third party will assume this role)' in the options checkbox.

  6. You can find the unique value for ExternalID here.

  7. Click 'Next: Permissions' at the bottom to continue


  8. Add all the permissions stated below:

    1. "ec2:DescribeReservedInstances",

    2. "ec2:DescribeReservedInstancesListings",

    3. "ec2:DescribeReservedInstancesModifications",

    4. "ec2:PurchaseReservedInstancesOffering",

    5. "ec2:GetReservedInstancesExchangeQuote",

    6. "ec2:AcceptReservedInstancesExchangeQuote",

    7. "ec2:DeleteQueuedReservedInstances",

    8. "ec2:ModifyReservedInstances",

    9. "ec2:CancelReservedInstancesListing",

    10. "ec2:CreateReservedInstancesListing",

    11. "ec2:DescribeReservedInstancesListings",

    12. "ec2:DescribeHostReservations"

    13. "ec2:PurchaseReservedInstancesOffering"

    14. "savingsplans:*"

    15. "ce:*"

  9. Review the information you just entered, then click 'Create role' to proceed.|

  10. That's it - We are all done! - The new role is now added to your Resource roles list.

bottom of page