Creating AWS Policy and AWS API Access Key

Register AWS Policy, create User and API Credentials


You need an existing or a new Amazon Web Services (AWS) account or an existing or a new AWS GovCloud (US) account. For more information, refer to the AWS documentation:

Kublr also support other AWS partitions, such as AWS CN (China), AWS Top Secret region, etc.


To deploy a cluster in your AWS account with Kublr, you need to create an AWS policy and AWS API Access Key. All cluster resources (e.g. nodes) are created in your AWS account through the AWS API and will be managed by Kublr.

Use your AWS root account credential to sign in to the AWS Management Console or AWS GovCloud (US) Management Console. If you have previously signed into the console with your IAM user credentials, your browser may open the IAM user sign-in page. To avoid this, choose sign in using your root account credentials link to access the AWS account sign-in page.

Create an AWS Security Policy for Kublr’s API Access

  1. Access AWS Console → IAM → Policies.

  2. Click Create Policy.

    Create policy

  3. On the Create Policy page, select JSON tab.

  4. In the Policy Document section, enter this policy profile

    Create your policy - JSON

  5. Click Next, set policy name, then click Create Policy.

    The new policy is created.

    Create your policy - success

Create AWS User with Programmatic Access

  1. Access IAM → Users, click Add Users.

    Add user

  2. Set username and click Next.

  3. At permissions tab, select Attach policies directly.

    Attach existing policy

  4. Select the policy you generated.

    Select the policy

  5. Click Next, overview settings, then click Create User.

    The new user is created and added to the list.

    User added

  6. Grant the created user with programmatic access as described here.

  7. Copy or download the Access Key ID and Secret Access Key.

    NOTE For the specific Access Key ID, viewing and copying of Secret Access Key is only available once.

Create a new AWS Access Key for existing user

  1. Do one of the following:

    • For currently logged in user: on the top right of the Console, click your account name or number, then select Security Credentials from the menu.
    • For IAM user: access IAM → Users, click user name, go to Security Credentials tab.
  2. Click Create New Access Key.

    Create new access key

  3. Consider alternative cases and proceed to the next step.

  4. Copy or download the key.

    NOTE This is the only time that the secret access key can be viewed or downloaded.

    Create new access key - success

  5. Click Done. The key is added and activated.