# Permissions Configuration Datafy requires basic AWS permissions to view the EC2 instances your volumes are attached to, and to control the creation and modification of EBS volumes. These permissions are granted through a dedicated IAM role, and providing the ARN to Datafy. {% hint style="info" %} Permissions are configured per AWS account. If you wish to install Datafy on multiple AWS accounts, the following steps need to be performed for each account. {% endhint %} ## Configure IAM Role {% stepper %} {% step %} ### Create IAM Role We provide CloudFormation and Terraform templates for creating an IAM role. The template creates an IAM OIDC[^1] identity provider and an IAM role. The identity provider is used to authenticate that only Datafy uses the created role. When creating the role, define the permissions level of the role according to the Datafy product you intend to install: * **Sensor** **permissions** - the role provides read-only permissions. It allows to retrieve data about EC2 instances and the volumes attached to them. * **AutoScaler** **permissions** - the role includes all of the Sensor read-only permissions, and adds modification and creation permissions. The role allows creation, modification and deletion of EBS volumes, which are used to manage your EBS storage devices. {% tabs fullWidth="false" %} {% tab title="CloudFormation template" %} Create a new CloudFormation stack using the URL below as the template source (see screenshot). {% code title="S3 URL" overflow="wrap" %} ```url https://datafy-public-bucket.s3.amazonaws.com/cloudformation-template/aws_iam/cloudformation.yaml ``` {% endcode %}

Use the dropdown in the Parameters section to choose the desire permissions level

{% endtab %} {% tab title="Terraform module" %} You can create the role using the [iam-role Terraform module](https://registry.terraform.io/modules/datafy-io/iam-role/datafy/1.0.2?tab=resources).\ Examples and usage instructions can be found in the module documentation. {% endtab %} {% endtabs %} {% endstep %} {% step %} ### Define Role ARN in Datafy Account * In the Datafy dashboard, go to the **Permissions** section of the [account settings](https://app.datafy.io/settings). An Admin role is required to access the settings panel. * Fill in the ARN of the IAM role you just created. * The IAM role associated with the ARN will be validated. If the ARN is incorrect, or the permissions in the associated role are incorrect, you will receive an error. {% hint style="info" %} If your AWS account has an attached organizational [SCP](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html) the IAM role cannot be validated. Please contact support to complete your set up. {% endhint %}

Configure the role ARN in the dashboard settings

{% endstep %} {% endstepper %} {% hint style="info" %} If you're using custom encrytion keys, please ensure that the Datafy role isn't restricted by your KMS policy. Datafy needs to be able to create volumes that "inherit" the keys of the original source volume that is being auto-scaled {% endhint %} ## Validate Configuration After you've created and defined the IAM role, you can see all of the volumes in your account in the [Datafy dashboard](https://app.datafy.io/fleet-manager). At this stage, you can view the AWS attributes of each volume, including its provisioned size, but not the actual utilization. To view the utilization of each volume, continue with the installation process. [^1]: OpenID Connect