Skip to main content
Monk needs an IAM access key to provision and manage infrastructure in your AWS account. This page walks you through creating one with the right permissions.

What You Need

  • AWS Access Key ID
  • AWS Secret Access Key
  • Optional: default region (e.g., us-east-1)

Create Credentials

1

Open the IAM console

Log into AWS Console → IAM → Users.
2

Create a dedicated user

Click Create user. Name it something like monk-deploy. Do not grant console access — Monk only needs programmatic access.
3

Attach the Monk policy

On the permissions step, choose Attach policies directly and create a custom policy with the JSON below. Name it MonkClusterPolicy.
4

Create an access key

After the user is created, go to the user → Security credentials tab → Create access key. Choose “Third-party service” as the use case. Copy the Access Key ID and Secret Access Key.
5

Provide to Monk

When you deploy to AWS, Monk requests credentials through a secure form in your IDE. Paste them there. You can also tell your agent:
ask Monk to update my AWS credentials

Required Permissions

You can use the broad managed policies for a quick start:
  • AmazonEC2FullAccess
  • AmazonVPCFullAccess
  • IAMReadOnlyAccess
For production, use the minimum custom policy below. It covers exactly what Monk needs and nothing more. Scope summary: EC2 instances, images, and instance types. VPCs, subnets, routing, internet gateways. Security groups, network interfaces, elastic IPs. EBS volumes and snapshots. Load balancers and target groups (ELBv2). ACM certificates (HTTPS). DLM policies (automated backups). STS GetCallerIdentity. iam:PassRole for the DLM service role. 
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "MonkEC2Instances",
      "Effect": "Allow",
      "Action": [
        "ec2:DescribeInstances",
        "ec2:DescribeInstanceStatus",
        "ec2:DescribeInstanceTypes",
        "ec2:RunInstances",
        "ec2:TerminateInstances",
        "ec2:StopInstances",
        "ec2:ModifyInstanceAttribute"
      ],
      "Resource": "*"
    },
    {
      "Sid": "MonkEC2Images",
      "Effect": "Allow",
      "Action": ["ec2:DescribeImages"],
      "Resource": "*"
    },
    {
      "Sid": "MonkEC2RegionsAndZones",
      "Effect": "Allow",
      "Action": ["ec2:DescribeRegions", "ec2:DescribeAvailabilityZones"],
      "Resource": "*"
    },
    {
      "Sid": "MonkEC2VPC",
      "Effect": "Allow",
      "Action": [
        "ec2:DescribeVpcs",
        "ec2:CreateVpc",
        "ec2:CreateDefaultVpc",
        "ec2:ModifyVpcAttribute"
      ],
      "Resource": "*"
    },
    {
      "Sid": "MonkEC2Subnets",
      "Effect": "Allow",
      "Action": [
        "ec2:DescribeSubnets",
        "ec2:CreateSubnet",
        "ec2:CreateDefaultSubnet",
        "ec2:ModifySubnetAttribute"
      ],
      "Resource": "*"
    },
    {
      "Sid": "MonkEC2InternetGateways",
      "Effect": "Allow",
      "Action": [
        "ec2:DescribeInternetGateways",
        "ec2:CreateInternetGateway",
        "ec2:AttachInternetGateway"
      ],
      "Resource": "*"
    },
    {
      "Sid": "MonkEC2RouteTables",
      "Effect": "Allow",
      "Action": [
        "ec2:DescribeRouteTables",
        "ec2:CreateRouteTable",
        "ec2:CreateRoute"
      ],
      "Resource": "*"
    },
    {
      "Sid": "MonkEC2SecurityGroups",
      "Effect": "Allow",
      "Action": [
        "ec2:DescribeSecurityGroups",
        "ec2:DescribeSecurityGroupRules",
        "ec2:CreateSecurityGroup",
        "ec2:DeleteSecurityGroup",
        "ec2:AuthorizeSecurityGroupIngress",
        "ec2:RevokeSecurityGroupIngress"
      ],
      "Resource": "*"
    },
    {
      "Sid": "MonkEC2NetworkInterfaces",
      "Effect": "Allow",
      "Action": ["ec2:DeleteNetworkInterface"],
      "Resource": "*"
    },
    {
      "Sid": "MonkEC2ElasticIPs",
      "Effect": "Allow",
      "Action": [
        "ec2:DescribeAddresses",
        "ec2:AllocateAddress",
        "ec2:AssociateAddress",
        "ec2:ReleaseAddress"
      ],
      "Resource": "*"
    },
    {
      "Sid": "MonkEC2Volumes",
      "Effect": "Allow",
      "Action": [
        "ec2:DescribeVolumes",
        "ec2:DescribeVolumesModifications",
        "ec2:CreateVolume",
        "ec2:DeleteVolume",
        "ec2:AttachVolume",
        "ec2:DetachVolume",
        "ec2:ModifyVolume"
      ],
      "Resource": "*"
    },
    {
      "Sid": "MonkEC2Snapshots",
      "Effect": "Allow",
      "Action": ["ec2:DescribeSnapshots", "ec2:DeleteSnapshot"],
      "Resource": "*"
    },
    {
      "Sid": "MonkEC2Tags",
      "Effect": "Allow",
      "Action": ["ec2:CreateTags"],
      "Resource": "*"
    },
    {
      "Sid": "MonkELBv2",
      "Effect": "Allow",
      "Action": [
        "elasticloadbalancing:DescribeLoadBalancers",
        "elasticloadbalancing:CreateLoadBalancer",
        "elasticloadbalancing:DeleteLoadBalancer",
        "elasticloadbalancing:DescribeListeners",
        "elasticloadbalancing:CreateListener",
        "elasticloadbalancing:DeleteListener",
        "elasticloadbalancing:DescribeTargetGroups",
        "elasticloadbalancing:CreateTargetGroup",
        "elasticloadbalancing:DeleteTargetGroup",
        "elasticloadbalancing:RegisterTargets",
        "elasticloadbalancing:DeregisterTargets",
        "elasticloadbalancing:DescribeTargetHealth",
        "elasticloadbalancing:AddTags"
      ],
      "Resource": "*"
    },
    {
      "Sid": "MonkACM",
      "Effect": "Allow",
      "Action": [
        "acm:ListCertificates",
        "acm:ListTagsForCertificate",
        "acm:GetCertificate",
        "acm:ImportCertificate",
        "acm:DeleteCertificate",
        "acm:DescribeCertificate"
      ],
      "Resource": "*"
    },
    {
      "Sid": "MonkDLM",
      "Effect": "Allow",
      "Action": [
        "dlm:GetLifecyclePolicies",
        "dlm:GetLifecyclePolicy",
        "dlm:CreateLifecyclePolicy",
        "dlm:UpdateLifecyclePolicy",
        "dlm:DeleteLifecyclePolicy"
      ],
      "Resource": "*"
    },
    {
      "Sid": "MonkSTS",
      "Effect": "Allow",
      "Action": ["sts:GetCallerIdentity"],
      "Resource": "*"
    },
    {
      "Sid": "MonkIAMPassRole",
      "Effect": "Allow",
      "Action": ["iam:PassRole"],
      "Resource": "arn:aws:iam::*:role/service-role/AWSDataLifecycleManagerDefaultRole"
    },
    {
      "Sid": "MonkIAMSimulate",
      "Effect": "Allow",
      "Action": ["iam:SimulateCustomPolicy", "iam:SimulatePrincipalPolicy"],
      "Resource": "*"
    },
    {
      "Sid": "MonkKMS",
      "Effect": "Allow",
      "Action": [
        "kms:ListKeys",
        "kms:ListAliases",
        "kms:DescribeKey",
        "kms:CreateKey",
        "kms:Encrypt",
        "kms:Decrypt",
        "kms:GenerateDataKey",
        "kms:ScheduleKeyDeletion",
        "kms:CreateAlias",
        "kms:UpdateAlias",
        "kms:EnableKey",
        "kms:DisableKey",
        "kms:CancelKeyDeletion"
      ],
      "Resource": "*"
    },
    {
      "Sid": "MonkCloudWatch",
      "Effect": "Allow",
      "Action": ["cloudwatch:GetMetricData"],
      "Resource": "*"
    },
    {
      "Sid": "MonkPricing",
      "Effect": "Allow",
      "Action": ["pricing:GetProducts", "ce:GetCostAndUsage"],
      "Resource": "*"
    }
  ]
}

# Create the IAM user
aws iam create-user --user-name monk-user

# Create the policy (save the JSON above as monk-policy.json)
aws iam create-policy \
  --policy-name MonkClusterPolicy \
  --policy-document file://monk-policy.json

# Attach the policy (replace ACCOUNT_ID)
aws iam attach-user-policy \
  --user-name monk-user \
  --policy-arn arn:aws:iam::ACCOUNT_ID:policy/MonkClusterPolicy

# Create access keys
aws iam create-access-key --user-name monk-user

How Credentials Are Stored

Credentials are encrypted at rest in your IDE’s secret storage and on your Monk cluster using your cloud provider’s KMS — so your infrastructure can manage itself autonomously. They are never sent to Monk servers and never exposed to the LLM. See Security for full details.

Troubleshooting

Access keys disabled — check the user in the IAM console and confirm the key is active. Missing permissions — if Monk reports permission errors, compare the attached policy against the minimum policy above. Region mismatch — if you specified a default region, make sure it matches an available AWS region. Ask your agent for help: 
ask Monk why my AWS credentials are not working

Deploy your first app

Credentials ready — now deploy