# What IAM Permissions Does the Trial Deployment Require? ## Overview The following is a detailed breakdown of the Read-Only, Least-Privileged IAM credential required to enable the Trial of our AWS Platform Integration. This enables Archera to read the bare minimum usage and cost metadata required to enable our Trial analysis & modeling engine, with limited access to automation features. > **Note:** This credential will prevent you from receiving any future platform updates and we don't recommend using it unless you have no other options. Please contact us if you would like this installation method enabled in your account. The standard [Production credential](https://docs.archera.ai/help-center/aws-onboarding/iam-permissions-production) is required to enable our full automation platform. ## Cost Explorer Used to extract specific cost, usage, and commitment information associated with your organization's accounts: ``` ce:DescribeCostCategoryDefinition ce:GetCostAndUsage ce:GetCostAndUsageWithResources ce:GetReservationCoverage ce:GetReservationPurchaseRecommendation ce:GetReservationUtilization ce:GetSavingsPlansCoverage ce:GetSavingsPlansPurchaseRecommendation ce:GetSavingsPlansUtilization ce:GetSavingsPlansUtilizationDetails ce:GetRightsizingRecommendation ce:GetCostForecast ce:GetUsageForecast ce:GetTags ce:GetDimensionValues ce:ListCostCategoryDefinitions ``` *(plus additional describe/get permissions)* ## Tags Used to populate Tag Manager functionality and Tag-based segmentation: ``` tag:GetComplianceSummary tag:GetResources tag:GetTagKeys tag:GetTagValues ``` ## CloudWatch Used to pull utilization metadata for your infrastructure (required for rightsizing and usage monitoring): ``` cloudwatch:ListMetrics cloudwatch:GetMetricStatistics cloudwatch:GetMetricData ``` ## EC2 Read-only permissions to pull real-time usage, attribution, and commitment information for EC2 resources. Never allows access to or modification of underlying infrastructure — only metadata (uptime, tags, deployment data, etc.): ``` ec2:DescribeInstances ec2:DescribeReservedInstances ec2:DescribeReservedInstancesListings ec2:DescribeReservedInstancesModifications ec2:DescribeReservedInstancesOfferings ec2:GetReservedInstancesExchangeQuote ec2:DescribeCapacityReservations ec2:DescribeTags ec2:DescribeVolumes ec2:DescribeRegions ``` *(plus additional describe permissions)* ## RDS, Redshift, DynamoDB, ElastiCache, ElasticSearch, MemoryDB Similar read-only describe permissions for each service — used to pull real-time usage, attribution, and commitment information. Never allows access to or modification of underlying infrastructure. ## Organizations Used to enable segmentation and analysis based on AWS organization structure, and accurately reflect reservation attribution: ``` organizations:DescribeOrganization organizations:ListAccounts organizations:ListAccountsForParent organizations:DescribeAccount ``` *(plus additional describe/list permissions)* ## Savings Plans Used to provide analysis for savings plan coverage, savings, and attribution: ``` savingsplans:DescribeSavingsPlanRates savingsplans:DescribeSavingsPlans savingsplans:DescribeSavingsPlansOfferingRates savingsplans:DescribeSavingsPlansOfferings savingsplans:ListTagsForResource ``` ## IAM Restricted explicitly to Archera-related roles; required to verify permissions and ensure a valid installation: ``` iam:GetRolePolicy iam:ListRolePolicies iam:ListAttachedRolePolicies iam:GetPolicy iam:GetPolicyVersion iam:SimulatePrincipalPolicy ``` Resource restrictions: ``` arn:aws:iam::*:role/ReservedAI arn:aws:iam::*:role/ReservedAI-Read arn:aws:iam::*:role/ReservedAI-Write ``` ## Related Resources * [What IAM permissions does the Archera AWS production deployment require?](https://docs.archera.ai/help-center/aws-onboarding/iam-permissions-production) * [How Does Archera Access my AWS Environment?](https://docs.archera.ai/help-center/security/aws-access) * [Can I test Archera in an AWS Sub-Account?](https://docs.archera.ai/help-center/aws-onboarding/test-in-subaccount)