Skip to main content
redStack provisions EC2 instances, VPCs, subnets, security groups, Elastic IPs, network interfaces, VPC peering connections, and route tables. Your AWS credentials need enough permissions to create and destroy all of these resources. There are two options. Choose based on the type of AWS account you are using.
To be safe, run redStack from a dedicated, single-purpose throwaway AWS account — one used solely for this lab with no other workloads, billing resources, or sensitive data. If a dedicated account is not practical, use Option B (least privilege) to limit the blast radius if credentials are ever compromised.

Option A: AdministratorAccess

Recommended for dedicated lab accounts. If you created a separate AWS account solely for this lab, AdministratorAccess is the right choice. There are no other workloads, billing resources, or sensitive data in the account to protect. Admin access on an empty account carries the same real-world risk as a scoped policy: if the credentials are compromised, the attacker can only reach the lab infrastructure you already plan to tear down. Least privilege adds meaningful protection when credentials could expose things beyond this lab. On a dedicated account, there is nothing else to expose. Use Option A and save the complexity of Option B for when it actually buys you something.
1

Create the IAM user

Open the IAM Console and navigate to Users → Create user.Set the username to redS-operator (or any name you prefer).
2

Attach AdministratorAccess

On the Set permissions screen, choose Attach policies directly.Search for AdministratorAccess and check the box next to it.Click Next, then Create user.
3

Generate an access key

Open the newly created user and go to the Security credentials tab.Click Create access key.Select Command Line Interface (CLI), acknowledge the recommendation, then click Next.Copy the Access Key ID and Secret Access Key. The secret is shown only once — save it now.
4

Configure the AWS CLI

Run aws configure from inside your redStack/ directory and enter the values from the previous step:
aws configure
PromptValue
AWS Access Key IDThe access key ID you just copied
AWS Secret Access KeyThe secret access key you just copied
Default region nameus-east-1 (or your chosen region — must match aws_region in terraform.tfvars)
Default output formatjson

Option B: Least-privilege policy

Only required if you are deploying into a shared or production AWS account. Use this option if the AWS account running redStack also contains other workloads, active resources, or anything you cannot afford to lose or expose. Scoping the credentials to only what redStack needs limits the blast radius if the access key is ever leaked or misused.
  • ec2:* — redStack is EC2-only infrastructure. Every resource Terraform creates and destroys (instances, VPCs, subnets, security groups, ENIs, EIPs, VPC peering, route tables) maps to an EC2 API call. No S3, RDS, Lambda, or other services are used.
  • sts:GetCallerIdentity — Terraform calls this at init to verify credentials and identify the account. Without it, terraform init fails before any resources are touched.
  • iam:GetUser, iam:GetUserPolicy, iam:ListUserPolicies, iam:ListAttachedUserPolicies — Read-only, self-scoped to ${aws:username}. Lets you inspect your own permissions when debugging an access denied error. No IAM write access is granted and the scope prevents reading any other principal’s policies.

Minimum IAM policy

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ec2:*",
        "sts:GetCallerIdentity"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "iam:GetUser",
        "iam:GetUserPolicy",
        "iam:ListUserPolicies",
        "iam:ListAttachedUserPolicies"
      ],
      "Resource": "arn:aws:iam::*:user/${aws:username}"
    }
  ]
}
1

Create the IAM user

Open the IAM Console and navigate to Users → Create user.Set the username to redS-operator.
2

Create the least-privilege policy

On the Set permissions screen, choose Attach policies directly, then click Create policy.Select the JSON tab and paste the policy above.Name the policy redStack-least-privilege, then click Create policy.
3

Attach the policy to the user

Return to the user creation screen. Search for redStack-least-privilege and check the box next to it.Click Next, then Create user.
4

Generate an access key

Open the newly created user and go to the Security credentials tab.Click Create access key.Select Command Line Interface (CLI), acknowledge the recommendation, then click Next.Copy the Access Key ID and Secret Access Key. The secret is shown only once.
5

Configure the AWS CLI

aws configure
PromptValue
AWS Access Key IDThe access key ID you just copied
AWS Secret Access KeyThe secret access key you just copied
Default region nameus-east-1 (must match aws_region in terraform.tfvars)
Default output formatjson

Verify credentials

After running aws configure, confirm the credentials work: 
aws sts get-caller-identity
Expected output: 
{
    "UserId": "AIDAXXXXXXXXXXXXXXXXX",
    "Account": "123456789012",
    "Arn": "arn:aws:iam::123456789012:user/redS-operator"
}
If this command returns an error, check that the access key was entered correctly in aws configure and that the IAM user has not been deactivated.
aws configure writes credentials to ~/.aws/credentials and region/output preferences to ~/.aws/config. Terraform reads these files automatically when it initializes. You only need to run aws configure once per machine.

Build docs developers (and LLMs) love

Get started for freeTalk to us