# What IAM Permissions Does the Trial Deployment Require?

## Overview

The following is a detailed breakdown of the Read-Only, Least-Privileged IAM credential required to enable the Trial of our AWS Platform Integration. This enables Archera to read the bare minimum usage and cost metadata required to enable our Trial analysis & modeling engine, with limited access to automation features.

> **Note:** This credential will prevent you from receiving any future platform updates and we don't recommend using it unless you have no other options. Please contact us if you would like this installation method enabled in your account. The standard [Production credential](/help-center/aws-onboarding/iam-permissions-production.md) is required to enable our full automation platform.

## Cost Explorer

Used to extract specific cost, usage, and commitment information associated with your organization's accounts:

```
ce:DescribeCostCategoryDefinition
ce:GetCostAndUsage
ce:GetCostAndUsageWithResources
ce:GetReservationCoverage
ce:GetReservationPurchaseRecommendation
ce:GetReservationUtilization
ce:GetSavingsPlansCoverage
ce:GetSavingsPlansPurchaseRecommendation
ce:GetSavingsPlansUtilization
ce:GetSavingsPlansUtilizationDetails
ce:GetRightsizingRecommendation
ce:GetCostForecast
ce:GetUsageForecast
ce:GetTags
ce:GetDimensionValues
ce:ListCostCategoryDefinitions
```

*(plus additional describe/get permissions)*

## Tags

Used to populate Tag Manager functionality and Tag-based segmentation:

```
tag:GetComplianceSummary
tag:GetResources
tag:GetTagKeys
tag:GetTagValues
```

## CloudWatch

Used to pull utilization metadata for your infrastructure (required for rightsizing and usage monitoring):

```
cloudwatch:ListMetrics
cloudwatch:GetMetricStatistics
cloudwatch:GetMetricData
```

## EC2

Read-only permissions to pull real-time usage, attribution, and commitment information for EC2 resources. Never allows access to or modification of underlying infrastructure — only metadata (uptime, tags, deployment data, etc.):

```
ec2:DescribeInstances
ec2:DescribeReservedInstances
ec2:DescribeReservedInstancesListings
ec2:DescribeReservedInstancesModifications
ec2:DescribeReservedInstancesOfferings
ec2:GetReservedInstancesExchangeQuote
ec2:DescribeCapacityReservations
ec2:DescribeTags
ec2:DescribeVolumes
ec2:DescribeRegions
```

*(plus additional describe permissions)*

## RDS, Redshift, DynamoDB, ElastiCache, ElasticSearch, MemoryDB

Similar read-only describe permissions for each service — used to pull real-time usage, attribution, and commitment information. Never allows access to or modification of underlying infrastructure.

## Organizations

Used to enable segmentation and analysis based on AWS organization structure, and accurately reflect reservation attribution:

```
organizations:DescribeOrganization
organizations:ListAccounts
organizations:ListAccountsForParent
organizations:DescribeAccount
```

*(plus additional describe/list permissions)*

## Savings Plans

Used to provide analysis for savings plan coverage, savings, and attribution:

```
savingsplans:DescribeSavingsPlanRates
savingsplans:DescribeSavingsPlans
savingsplans:DescribeSavingsPlansOfferingRates
savingsplans:DescribeSavingsPlansOfferings
savingsplans:ListTagsForResource
```

## IAM

Restricted explicitly to Archera-related roles; required to verify permissions and ensure a valid installation:

```
iam:GetRolePolicy
iam:ListRolePolicies
iam:ListAttachedRolePolicies
iam:GetPolicy
iam:GetPolicyVersion
iam:SimulatePrincipalPolicy
```

Resource restrictions:

```
arn:aws:iam::*:role/ReservedAI
arn:aws:iam::*:role/ReservedAI-Read
arn:aws:iam::*:role/ReservedAI-Write
```

## Related Resources

* [What IAM permissions does the Archera AWS production deployment require?](/help-center/aws-onboarding/iam-permissions-production.md)
* [How Does Archera Access my AWS Environment?](/help-center/security/aws-access.md)
* [Can I test Archera in an AWS Sub-Account?](/help-center/aws-onboarding/test-in-subaccount.md)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.archera.ai/help-center/aws-onboarding/iam-permissions-trial.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.