2.1 (latest)

AWS Thanos IAM Policy

In order to create an AWS IAM policy for use with Thanos:
  1. 1.
    Navigate to the AWS console and select IAM.
  2. 2.
    Select Policies in the Navigation menu, then select Create Policy.
  3. 3.
    Add the following JSON in the policy editor:
Make sure to replace <your-bucket-name> with the name of your newly-created S3 bucket.
"Version": "2012-10-17",
"Statement": [
"Sid": "Statement",
"Effect": "Allow",
"Action": [
"Resource": [
4. Select Review policy and name this policy, e.g. kc-thanos-store-policy.
  1. 5.
    Navigate to Users in IAM control panel, then select Add user.
  2. 6.
    Provide a username (e.g. kubecost-thanos-service-account) and select Programmatic access.
  3. 7.
    Select Attach existing policies directly, search for the policy name provided in Step 4, then create the user.
    Attach existing
  4. 8.
    Capture your Access Key ID and secret in the view below:
    Successful user creation
If you don’t want to use a service account, IAM credentials retrieved from an instance profile are also supported. You must get both access key and secret key from the same method (i.e. both from service or instance profile). More info on retrieving credentials here.