AWS Setup & Prerequisites
Connect Stackpane to your AWS account with IAM credentials, permissions, and region configuration.
Overview
Stackpane connects to AWS using IAM access keys and SigV4 request signing. This guide walks through creating the required credentials, configuring permissions, selecting a region, and connecting Stackpane to your AWS account.
Creating an IAM User
Create a dedicated IAM user for Stackpane rather than using your root account credentials.
1. Create the IAM Policy
First, create a policy that grants access to the AWS services Stackpane needs:
- Open the IAM Console in your AWS account.
- Navigate to Policies in the left sidebar and click Create policy.
- Click the JSON tab in the policy editor.
- Replace the default content with the policy document below.
- Click Next.
- Enter a policy name (e.g.,
StackpaneAccess). - Click Create policy.
IAM Policy
The policy below includes permissions for all Stackpane features. You only need to include the statement blocks for the services you use — remove any you don’t need.
| Statement | Stackpane Feature | Required? |
|---|---|---|
StackpaneDynamoDB | DynamoDB Browser | If using DynamoDB |
StackpaneCognito | User Management | If using Cognito |
StackpaneS3 | Storage Browser | If using S3 |
StackpaneLambda | Lambda Functions | If using Lambda |
StackpaneCloudWatchLogs | CloudWatch Logs | If using log viewing |
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "StackpaneDynamoDB",
"Effect": "Allow",
"Action": [
"dynamodb:ListTables",
"dynamodb:DescribeTable",
"dynamodb:CreateTable",
"dynamodb:DeleteTable",
"dynamodb:Scan",
"dynamodb:Query",
"dynamodb:GetItem",
"dynamodb:PutItem",
"dynamodb:UpdateItem",
"dynamodb:DeleteItem",
"dynamodb:BatchWriteItem"
],
"Resource": "*"
},
{
"Sid": "StackpaneCognito",
"Effect": "Allow",
"Action": [
"cognito-idp:ListUsers",
"cognito-idp:AdminGetUser",
"cognito-idp:AdminCreateUser",
"cognito-idp:AdminUpdateUserAttributes",
"cognito-idp:AdminDeleteUser",
"cognito-idp:AdminDisableUser",
"cognito-idp:AdminEnableUser",
"cognito-idp:AdminResetUserPassword",
"cognito-idp:AdminUserGlobalSignOut"
],
"Resource": "*"
},
{
"Sid": "StackpaneS3",
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject"
],
"Resource": "*"
},
{
"Sid": "StackpaneLambda",
"Effect": "Allow",
"Action": [
"lambda:ListFunctions",
"lambda:GetFunction",
"lambda:InvokeFunction"
],
"Resource": "*"
},
{
"Sid": "StackpaneCloudWatchLogs",
"Effect": "Allow",
"Action": [
"logs:DescribeLogGroups",
"logs:DescribeLogStreams",
"logs:GetLogEvents",
"logs:FilterLogEvents"
],
"Resource": "*"
}
]
}Scoping Access to Your Project
Unlike Firebase and Supabase where credentials are scoped to a single project, AWS credentials grant access to all resources in your account (within the selected region). With "Resource": "*", Stackpane will show every DynamoDB table, S3 bucket, and Lambda function in the account — including infrastructure from other projects, CDK/CloudFormation-managed resources, and other teams’ work.
To limit Stackpane to only your project’s resources, replace "Resource": "*" with specific ARNs. Replace 123456789012 with your AWS account ID and us-east-1 with your region.
DynamoDB — restrict to tables with a common prefix:
{
"Sid": "StackpaneDynamoDB",
"Effect": "Allow",
"Action": [ "dynamodb:ListTables", "dynamodb:DescribeTable", "dynamodb:CreateTable", "dynamodb:DeleteTable", "dynamodb:Scan", "dynamodb:Query", "dynamodb:GetItem", "dynamodb:PutItem", "dynamodb:UpdateItem", "dynamodb:DeleteItem", "dynamodb:BatchWriteItem" ],
"Resource": "arn:aws:dynamodb:us-east-1:123456789012:table/myapp-*"
}S3 — restrict to a specific bucket:
{
"Sid": "StackpaneS3",
"Effect": "Allow",
"Action": [ "s3:ListBucket", "s3:GetBucketLocation", "s3:GetObject", "s3:PutObject", "s3:DeleteObject" ],
"Resource": [
"arn:aws:s3:::myapp-uploads",
"arn:aws:s3:::myapp-uploads/*"
]
}Note: s3:ListAllMyBuckets only works with "Resource": "*". If you scope S3 to specific buckets, Stackpane won’t auto-discover buckets — you’ll see only the ones the policy allows.
Cognito — restrict to a specific user pool:
{
"Sid": "StackpaneCognito",
"Effect": "Allow",
"Action": [ "cognito-idp:ListUsers", "cognito-idp:AdminGetUser", "cognito-idp:AdminCreateUser", "cognito-idp:AdminUpdateUserAttributes", "cognito-idp:AdminDeleteUser", "cognito-idp:AdminDisableUser", "cognito-idp:AdminEnableUser", "cognito-idp:AdminResetUserPassword", "cognito-idp:AdminUserGlobalSignOut" ],
"Resource": "arn:aws:cognito-idp:us-east-1:123456789012:userpool/us-east-1_aBcDeFgHi"
}Lambda — restrict to functions with a common prefix:
{
"Sid": "StackpaneLambda",
"Effect": "Allow",
"Action": [ "lambda:ListFunctions", "lambda:GetFunction", "lambda:InvokeFunction" ],
"Resource": "arn:aws:lambda:us-east-1:123456789012:function:myapp-*"
}Note: lambda:ListFunctions returns all functions regardless of the resource ARN. The ARN restriction only controls which functions can be read and invoked.
CloudWatch Logs — restrict to specific log groups:
{
"Sid": "StackpaneCloudWatchLogs",
"Effect": "Allow",
"Action": [ "logs:DescribeLogGroups", "logs:DescribeLogStreams", "logs:GetLogEvents", "logs:FilterLogEvents" ],
"Resource": "arn:aws:logs:us-east-1:123456789012:log-group:/aws/lambda/myapp-*"
}You can find your account ID in the top-right corner of the AWS Console. Mix and match — scope down the services where you have many resources and leave "*" for services where it doesn’t matter.
2. Create the IAM User
With the policy created, create a user and attach it:
- Navigate to Users in the IAM Console and click Create user.
- Enter a username (e.g.,
stackpane-dev). - Do not enable console access — Stackpane only needs programmatic access.
- Click Next.
- Select Attach policies directly.
- Search for the policy you created (e.g.,
StackpaneAccess) and check the box next to it. - Click Next, then Create user.
3. Create Access Keys
After creating the user, generate access keys for Stackpane:
- Click the newly created user to open their details.
- Navigate to the Security credentials tab.
- Under Access keys, click Create access key.
- Select Third-party service as the use case.
- Acknowledge the recommendation and click Next.
- Click Download .csv file to save your credentials, or copy the Access Key ID and Secret Access Key manually — the secret is only shown once.
Store these credentials securely. Stackpane saves them in the macOS Keychain.
Connecting in Stackpane
- Click the + button in the sidebar or choose New Connection.
- Select AWS as the provider.
- Enter a connection name (e.g., “My App - Production”).
- Click Import from CSV to load the
.csvfile you downloaded, or enter your Access Key ID and Secret Access Key manually. - Select your AWS Region from the dropdown (e.g.,
us-east-1). - Optionally enter your Cognito User Pool ID (e.g.,
us-east-1_aBcDeFgHi) to enable user management. See Cognito Users for details. - Click Save.
Stackpane validates the credentials on save and shows a connection status indicator in the sidebar. If you skip the Cognito User Pool ID, the Authentication tab will show a configuration warning — you can add it later by editing the connection.
Region Selection
Choose the region where your AWS resources are deployed. All API calls from Stackpane are directed to the selected region.
Common regions include:
| Region | Location |
|---|---|
us-east-1 | N. Virginia |
us-west-2 | Oregon |
eu-west-1 | Ireland |
eu-central-1 | Frankfurt |
ap-southeast-1 | Singapore |
ap-northeast-1 | Tokyo |
If your DynamoDB tables, Cognito user pools, and S3 buckets are in different regions, create separate connections for each region.
Cost Considerations
Stackpane interacts with AWS services using standard API calls, which count toward your AWS bill.
DynamoDB
- On-demand mode: You pay per read and write request. Scanning large tables consumes read capacity units proportional to the data scanned.
- Provisioned mode: Scans and queries consume your provisioned read capacity. Large scans can temporarily exhaust your throughput.
- Tip: Use Query instead of Scan when possible to reduce costs and improve performance.
S3
- Storage: Charges apply based on storage class and volume.
- Requests: Each ListObjects, GetObject, PutObject, and DeleteObject call incurs a small request charge.
- Data transfer: Downloading objects counts toward data transfer costs.
Cognito
- Cognito User Pools pricing is based on monthly active users. Admin API calls from Stackpane do not add to your MAU count unless they trigger user sign-in activity.
Lambda
- Invocations: Each function invocation from Stackpane counts toward your monthly invocation quota (1M free per month on the free tier).
- Duration: Execution time is billed per 1ms. Test invocations from Stackpane contribute to your duration costs.
CloudWatch Logs
- GetLogEvents / FilterLogEvents: Each API call incurs a small charge. Browsing and filtering logs in Stackpane generates these calls.
- Data scanned: FilterLogEvents charges are based on the amount of log data scanned.
LocalStack for Local Development
To develop and test without incurring AWS costs, use LocalStack. See the LocalStack guide for setup instructions.
When creating a connection, enter a custom endpoint URL (e.g., http://localhost:4566) to route all API calls to LocalStack instead of AWS.
Troubleshooting
InvalidSignatureException
The request signature does not match. Common causes:
- Incorrect Secret Access Key
- System clock is out of sync — AWS SigV4 signing requires accurate timestamps
- Region mismatch between the connection and the target resource
AccessDeniedException
The IAM user lacks the required permissions. Verify that the policy attached to the user includes the actions listed above. Use the IAM Policy Simulator in the AWS Console to test specific actions.
ResourceNotFoundException
The requested resource (table, user pool, or bucket) does not exist in the selected region. Verify the region in your connection settings matches where the resource was created.
UnrecognizedClientException
The Access Key ID is not valid. Verify the key was copied correctly and has not been deactivated or deleted in the IAM Console.