Pump only takes permissions at a billing-level so customers retain full control of their accounts and cloud services.
Pump operates through 2 types of roles: Read-only and Auto-pilot.
Read Only Role
This role is used during the initial onboarding step (Step 1). It requires read-only permissions to access up to one year of historical billing data (via Cost Explorer) and your AWS infrastructure metadata (such as the Redshift cluster you are using and whether it is already covered by reserved instances). After ingesting this data, Pump's billing engine calculates optimal savings. Once a user is fully onboarded, the read-only role is used again to display cost and savings on the Pump dashboard, helping users monitor their current spending and the savings achieved by Pump.
The specific permissions associated with the Read-only role can be found in the dropdown below.
Read-only Role JSON
{
"Parameters": {
"PumpID": {
"Description": "The Pump customer ID that syncs your account. Please don't change or share this.",
"MinLength": "1",
"Type": "String"
},
"PumpExternalID": {
"Description": "The Pump external ID that authenticates your account. Please don't change or share this.",
"MinLength": "1",
"Type": "String"
},
"PumpIamRole": {
"Description": "The Pump IAM role that has permission to your account.",
"MinLength": "1",
"Type": "String"
},
"PumpPingbackArn": {
"Description": "The arn used to communicate back to Pump.",
"MinLength": "1",
"Type": "String"
},
"PumpRoleType": {
"Description": "The type of the role Pump is creating.",
"MinLength": "1",
"Type": "String"
},
"AccountState": {
"Description": "The current state of the account.",
"MinLength": "0",
"Type": "String"
}
},
"Resources" : {
"CrossAccountRole" : {
"Type" : "AWS::IAM::Role",
"Properties" : {
"AssumeRolePolicyDocument" : {
"Statement" : [{
"Effect" : "Allow",
"Principal" : {
"AWS" : {"Ref": "PumpIamRole"}
},
"Action" : [
"sts:AssumeRole"
],
"Condition" : {
"StringEquals" : {
"sts:ExternalId" : {"Ref": "PumpExternalID"}
}
}
}]
},
"Path": "/",
"Policies" : [
{
"PolicyName": "PumpBillingReadOnly",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"account:GetContactInformation",
"account:ListRegions",
"ce:*",
"cur:*",
"organizations:Describe*",
"organizations:List*",
"iam:GetPolicyVersion",
"iam:ListPolicies",
"freetier:GetFreeTierUsage",
"pricing:DescribeServices",
"pricing:GetAttributeValues",
"pricing:GetProducts",
"pricing:ListPriceLists",
"savingsplans:Describe*",
"servicequotas:Get*",
"servicequotas:List*",
"taxsettings:Get*",
"taxsettings:List*",
"ec2:DescribeInstances",
"ec2:DescribeReservedInstances",
"ec2:DescribeReservedInstancesListings",
"ec2:DescribeReservedInstancesModifications",
"ec2:DescribeReservedInstancesOfferings",
"ec2:GetCapacityReservationUsage",
"ec2:GetReservedInstancesExchangeQuote",
"redshift:DescribeReservedNodeOfferings",
"redshift:DescribeReservedNodes",
"redshift:DescribeClusters",
"redshift:DescribeReservedNodeExchangeStatus",
"redshift:GetReservedNodeExchangeConfigurationOptions",
"redshift:GetReservedNodeExchangeOfferings",
"rds:DescribeReservedDBInstances",
"rds:DescribeDBInstances",
"rds:DescribeDBClusters",
"rds:DescribeReservedDBInstancesOfferings",
"elasticache:DescribeReservedCacheNodesOfferings",
"elasticache:DescribeServerlessCaches",
"elasticache:DescribeReservedCacheNodes",
"elasticache:DescribeCacheClusters",
"es:DescribeDomainNodes",
"es:DescribeReservedElasticsearchInstanceOfferings",
"es:DescribeReservedElasticsearchInstances",
"es:DescribeReservedInstanceOfferings",
"es:DescribeElasticsearchDomain",
"es:DescribeDomains",
"es:DescribeDomain",
"es:DescribeElasticsearchDomains",
"es:DescribeReservedInstances",
"medialive:ListReservations",
"medialive:DescribeReservation",
"medialive:ListClusters",
"medialive:DescribeCluster",
"medialive:DescribeNode",
"medialive:ListOfferings",
"medialive:DescribeOffering",
"medialive:ListNodes",
"memorydb:DescribeReservedNodesOfferings",
"memorydb:DescribeClusters",
"memorydb:DescribeReservedNodes",
"dynamodb:DescribeReservedCapacityOfferings",
"dynamodb:DescribeReservedCapacity"
],
"Resource": "*",
"Effect": "Allow"
}
]
}
}
]
}
},
"PumpPingResource" : {
"Type" : "Custom::PumpPingResource",
"DeletionPolicy" : "Retain",
"Version" : "1.0",
"Properties" : {
"ServiceToken" : {
"Ref": "PumpPingbackArn"
},
"RoleArn" : {
"Fn::GetAtt": [ "CrossAccountRole", "Arn" ]
},
"PumpID" : {
"Ref": "PumpID"
},
"ExternalID": {
"Ref": "PumpExternalID"
},
"AccountID": {
"Ref": "AWS::AccountId"
},
"RoleType": {
"Ref": "PumpRoleType"
},
"AccountState": {
"Ref": "AccountState"
}
}
}
},
"Outputs" : {
"RoleArn" : {
"Value" : {"Fn::GetAtt": [ "CrossAccountRole", "Arn" ]},
"Description" : "The ARN value of the Cross-Account Role with IAM read-only permissions. Add this ARN value to Pump."
}
}
}
Auto-pilot Role
This role is employed after the final onboarding step. It includes all the permissions from the read-only role, as well as additional read-only permissions for collecting service usage metadata, such as compute instance metadata. Note that Pump does not collect application data or user data—only usage metadata is collected. In addition to gathering usage metadata, the auto-pilot role also requires permission to buy and sell reserved instances and savings plans. Pump's AI algorithms process the usage metadata and manage cost commitments on behalf of users.
The specific permissions associated with the Auto-pilot role can be found in the dropdown below.
Auto-pilot Role JSON
{
"Parameters": {
"PumpID": {
"Description": "The Pump customer ID that syncs your account. Please don't change or share this.",
"MinLength": "1",
"Type": "String"
},
"PumpExternalID": {
"Description": "The Pump external ID that authenticates your account. Please don't change or share this.",
"MinLength": "1",
"Type": "String"
},
"PumpIamRole": {
"Description": "The Pump IAM role that has permission to your account.",
"MinLength": "1",
"Type": "String"
},
"PumpPingbackArn": {
"Description": "The arn used to communicate back to Pump.",
"MinLength": "1",
"Type": "String"
},
"PumpRoleType": {
"Description": "The type of the role Pump is creating.",
"MinLength": "1",
"Type": "String"
},
"AccountState": {
"Description": "The current state of the account.",
"MinLength": "0",
"Type": "String"
}
},
"Resources" : {
"CrossAccountRole" : {
"Type" : "AWS::IAM::Role",
"Properties" : {
"AssumeRolePolicyDocument" : {
"Statement" : [{
"Effect" : "Allow",
"Principal" : {
"AWS" : {"Ref": "PumpIamRole"}
},
"Action" : [
"sts:AssumeRole"
],
"Condition" : {
"StringEquals" : {
"sts:ExternalId" : {"Ref": "PumpExternalID"}
}
}
}]
},
"Path": "/",
"Policies" : [
{
"PolicyName": "PumpOrgInvite",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"organizations:Describe*",
"organizations:List*",
"organizations:AcceptHandshake",
"iam:CreateServiceLinkedRole"
],
"Resource": "*",
"Effect": "Allow"
}
]
}
},
{
"PolicyName": "PumpReadOnly",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"account:GetContactInformation",
"account:ListRegions",
"ce:*",
"cur:*",
"organizations:Describe*",
"organizations:List*",
"iam:GetPolicyVersion",
"iam:ListPolicies",
"freetier:GetFreeTierUsage",
"pricing:DescribeServices",
"pricing:GetAttributeValues",
"pricing:GetProducts",
"pricing:ListPriceLists",
"savingsplans:Describe*",
"servicequotas:Get*",
"servicequotas:List*",
"taxsettings:Get*",
"taxsettings:List*",
"ec2:DescribeInstances",
"ec2:DescribeReservedInstances",
"ec2:DescribeReservedInstancesListings",
"ec2:DescribeReservedInstancesModifications",
"ec2:DescribeReservedInstancesOfferings",
"ec2:GetCapacityReservationUsage",
"ec2:GetReservedInstancesExchangeQuote",
"redshift:DescribeReservedNodeOfferings",
"redshift:DescribeReservedNodes",
"redshift:DescribeClusters",
"redshift:DescribeReservedNodeExchangeStatus",
"redshift:GetReservedNodeExchangeConfigurationOptions",
"redshift:GetReservedNodeExchangeOfferings",
"rds:DescribeReservedDBInstances",
"rds:DescribeDBInstances",
"rds:DescribeDBClusters",
"rds:DescribeReservedDBInstancesOfferings",
"elasticache:DescribeReservedCacheNodesOfferings",
"elasticache:DescribeServerlessCaches",
"elasticache:DescribeReservedCacheNodes",
"elasticache:DescribeCacheClusters",
"es:DescribeDomainNodes",
"es:DescribeReservedElasticsearchInstanceOfferings",
"es:DescribeReservedElasticsearchInstances",
"es:DescribeReservedInstanceOfferings",
"es:DescribeElasticsearchDomain",
"es:DescribeDomains",
"es:DescribeDomain",
"es:DescribeElasticsearchDomains",
"es:DescribeReservedInstances",
"medialive:ListReservations",
"medialive:DescribeReservation",
"medialive:ListClusters",
"medialive:DescribeCluster",
"medialive:DescribeNode",
"medialive:ListOfferings",
"medialive:DescribeOffering",
"medialive:ListNodes",
"memorydb:DescribeReservedNodesOfferings",
"memorydb:DescribeClusters",
"memorydb:DescribeReservedNodes",
"dynamodb:DescribeReservedCapacityOfferings",
"dynamodb:DescribeReservedCapacity"
],
"Resource": "*",
"Effect": "Allow"
}
]
}
},
{
"PolicyName": "PumpAutoPilot",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"cloudfront:CreateSavingsPlan",
"cloudfront:UpdateSavingsPlan",
"dynamodb:PurchaseReservedCapacityOfferings",
"ec2:AcceptReservedInstancesExchangeQuote",
"ec2:CancelReservedInstancesListing",
"ec2:CreateReservedInstancesListing",
"ec2:DeleteQueuedReservedInstances",
"ec2:ModifyReservedInstances",
"ec2:PurchaseHostReservation",
"ec2:PurchaseReservedInstancesOffering",
"ec2:CreateTags",
"elasticache:PurchaseReservedCacheNodesOffering",
"es:PurchaseReservedInstanceOffering",
"es:PurchaseReservedElasticsearchInstanceOffering",
"medialive:PurchaseOffering",
"rds:PurchaseReservedDbInstancesOffering",
"redshift:AcceptReservedNodeExchange",
"redshift:PurchaseReservedNodeOffering",
"savingsplans:*",
"servicequotas:RequestServiceQuotaIncrease",
"support:*",
"budgets:Describe*",
"budgets:View*",
"budgets:List*",
"autoscaling:Describe*",
"autoscaling:GetPredictiveScalingForecast",
"application-autoscaling:Describe*",
"application-autoscaling:GetPredictiveScalingForecast",
"application-autoscaling:ListTagsForResource",
"autoscaling-plans:GetScalingPlanResourceForecastData",
"autoscaling-plans:DescribeScalingPlans",
"autoscaling-plans:DescribeScalingPlanResources",
"memorydb:PurchaseReservedNodesOffering",
"memorydb:TagResource"
],
"Resource": "*",
"Effect": "Allow"
}
]
}
}
]
}
},
"PumpPingResource" : {
"Type" : "Custom::PumpPingResource",
"DeletionPolicy" : "Retain",
"Version" : "1.0",
"Properties" : {
"ServiceToken" : {
"Ref": "PumpPingbackArn"
},
"RoleArn" : {
"Fn::GetAtt": [ "CrossAccountRole", "Arn" ]
},
"PumpID" : {
"Ref": "PumpID"
},
"ExternalID": {
"Ref": "PumpExternalID"
},
"AccountID": {
"Ref": "AWS::AccountId"
},
"RoleType": {
"Ref": "PumpRoleType"
},
"AccountState": {
"Ref": "AccountState"
}
}
}
},
"Outputs" : {
"RoleArn" : {
"Value" : {"Fn::GetAtt": [ "CrossAccountRole", "Arn" ]},
"Description" : "The ARN value of the Cross-Account Role with IAM read-only permissions. Add this ARN value to Pump."
}
}
}
Role Deployment
Pump automates cross-account role deployment using AWS CloudFormation (CFN) and, more specifically, "quick-create links." These links enable Pump to pass a CFN template along with user-specific parameters, such as the cross-account role, external ID, Pump ID, and more.
Users only need to click the quick-create link and then click "deploy" to have the role deployed to their AWS account. The CFN templates are stored publicly, allowing users to review them before agreeing to the deployment. These can be viewed in the section above.
Viewing, Deleting, and Redeploying Roles
Pump gains billing-level access to your accounts through IAM roles. You can view any active role in the IAM console on the AWS platform.
Roles can also be deleted at any time from the IAM console. Deleting a role will not affect the status of your workloads or interrupt access to cloud resources. However, deleting or editing roleswill causePump to lose visibility on your cloud usage and interrupt your savings services.
In the event that you accidentally delete our role or need to deploy an additional role, role deployments can be done through our platform for existing customers. To deploy a role from our platform, begin by navigating to Settings > Integrations. Click the three dots next to the account you wish to deploy a role to, and select which role you wish to deploy.
During deployment, after role creation, a list of properties is sent to Pump's management account:
Pump ID
Cross-account role ARN
Pump external ID
User's account ID
Role type (read-only or auto-pilot)
Additional Info
If CloudFormation deployments do not work for your infrastructure, we also offer deployments on Terraform. Please contact our support team for more information at support@pump.co
