AWS
We just shipped a one-click AWS onboarding flow using IAM temporary delegation. Here’s how it works.
Every step in your onboarding flow is an opportunity for customers to drop off. We saw this firsthand with our AWS connection process. Despite offering CloudFormation templates, Terraform configs, and detailed guides, the 5-10 minute setup with multiple context switches was causing friction. Customers had to navigate between documentation, copy IAM policies, configure trust relationships, and verify everything worked correctly.
For a product-led growth motion, this is a dealbreaker. You need customers to experience value quickly, without barriers. Every extra step, every page refresh, every “wait, which value do I copy here?” moment increases the chance they’ll abandon the process.
We rebuilt AWS onboarding from the ground up using AWS IAM Temporary Delegation. Now it takes under a minute and requires just one click.
Here’s the entire customer experience: Click “Connect with AWS” in Archera → Review permissions in AWS Console → Approve → Done. You’re immediately analyzing your cloud costs.
No copying values. No switching between documentation tabs. No wondering if you configured it correctly. Just a single, guided flow that gets you to value in seconds.
The breakthrough here is maintaining enterprise-grade security while making onboarding effortless. Customers were rightfully cautious about our previous methods—manually configuring IAM roles felt risky if you weren’t sure what you were doing.
With IAM Temporary Delegation, you see exactly what permissions Archera requests in the AWS Console before approving. The permissions are displayed by AWS itself, not just in our documentation. This transparency builds trust and makes customers comfortable approving access.
Behind the scenes, AWS sends us a temporary credential that lasts one hour. We use it to create the ReservedAI-Write IAM role with proper security controls: trust policies, external IDs, and permission boundaries. The temporary credential expires after setup completes. Everything generates CloudTrail events in your account for a complete audit trail.
This matters for our product-led growth strategy. When customers can onboard themselves in under a minute without confusion or security concerns, they complete the process. They connect their AWS account, see their cost data, and start experiencing value immediately.
The ReservedAI-Write role gives Archera read access to your billing data and resource usage across all AWS services. We use this to analyze your costs and identify optimization opportunities.
The role also includes write permissions to purchase and manage Reserved Instances, Savings Plans, and capacity reservations on your behalf. This lets Archera automate commitment purchases when you enable that feature. You maintain full control—Archera never makes purchases without your explicit approval.
We never access your application data, running workloads, or security configurations. All permissions are focused on cost optimization.
This same delegation flow will power future feature adoption. When we introduce new capabilities that need additional AWS permissions, you’ll get a notification with a button to enable them. Same one-click flow, same transparent review in AWS Console, same automatic configuration.
This is how you build product-led growth: make the customer experience so smooth that onboarding becomes invisible, while maintaining the security and trust that enterprise customers require.
I kept thinking “we have heard this cost visibility, cloud tagging and attribution story one too many times.” For me, the game changing moment was when Aran began talking about reducing risk, proactive planning, and creating a secondary marketplace.
