Create a CloudPouch IAM policy
CloudPouch needs only read-oriented IAM permissions: ce:GetCostAndUsage for billing data plus describe/list actions for the AWS resources its Cost Insights inspect. It never writes to your AWS account and installs no infrastructure in it — the app runs entirely on your desktop and talks to AWS the same way the AWS CLI does.
You have three ways to grant access. Most SSO users need no setup at all.
Option 1: Reuse an existing profile or role
Section titled “Option 1: Reuse an existing profile or role”CloudPouch reads the same local AWS configuration (~/.aws/config and ~/.aws/credentials) as the AWS CLI. If your existing profile, SSO role, or assumed role can already read Cost Explorer data and resource metadata — which is true for most admin, power-user, and read-only roles — just select that profile in CloudPouch and start analyzing. This is the usual path for AWS SSO (IAM Identity Center) setups.
The profile needs to read:
- AWS Cost Explorer data (
ce:GetCostAndUsage). - AWS Organizations account names (
organizations:ListAccounts), if you analyze a payer account and want account names instead of IDs. - Resource metadata for the Cost Insights you plan to run — for example
ec2:Describe*for EC2, EBS, Elastic IP, and NAT Gateway insights, orrds:Describe*actions for RDS.
Option 2: Create the policy manually
Section titled “Option 2: Create the policy manually”If you prefer a dedicated identity, create an IAM policy from the full JSON in AWS permissions and attach it to the IAM user or role behind your local AWS profile. The policy is one statement of read-only Get*/List*/Describe* actions against Resource: "*" — access is limited by the action list, not by resource ARNs.
Security-conscious teams can start from that policy and trim it: run the Cost Insights you actually use, then remove actions that never appear in CloudPouch’s permission-error details.
Option 3: Use the CloudFormation helper
Section titled “Option 3: Use the CloudFormation helper”CloudPouch provides an optional CloudFormation stack that creates the policy for you:
- Stack name:
CloudPouch-access-policy-stack - Created policy name:
CloudPouch-costs-policy
The stack creates an IAM policy and nothing else — it is a setup convenience, not CloudPouch runtime infrastructure. After the stack completes, attach CloudPouch-costs-policy to the IAM user or role your AWS profile uses. The stack’s policy may not yet include actions for the newest Cost Insights, so compare it against the AWS permissions baseline and add anything missing — CloudPouch’s permission issue details name the exact action if one is absent.
Attach the policy to an IAM user
Section titled “Attach the policy to an IAM user”If you use a plain IAM user:
- Open the IAM Users page in the AWS console.
- Select the user behind your local AWS credentials.
- Choose Add permissions, then Attach policies directly.
- Search for
CloudPouch-costs-policy(or your manually created policy). - Select it and add it to the user.
If you use an IAM role or an SSO permission set, attach the equivalent permissions through your normal access-management workflow instead.
Verify access
Section titled “Verify access”- Open CloudPouch and select the AWS profile.
- Run any Cost Insight — EBS is a good first test because it only needs
ec2:Describe*and cost data. - If something is missing, CloudPouch shows the exact service, region, API operation, and AWS error code (such as
AccessDenied) in the permission issue details, so you know precisely which action to add.
Related pages
Section titled “Related pages”- AWS permissions — the full policy JSON and per-service action families.
- Connect an AWS profile
- Troubleshooting