Appearance

AWS Setup for First-Time Technical Founders

You don't have AWS configured locally yet. This page gets you from "I have an AWS account" to "Escher is connected" using the path Escher's onboarding wizard actually walks you through.

If you've already done aws configure (either via SSO or with access keys) and have a working profile, skip ahead to the Quickstart — the in-app wizard will pick up your existing profile.

Two paths, and which one to pick

Your situationPathWhy
You have an AWS Organization with IAM Identity Center (formerly AWS SSO)SSO (default)No long-lived keys, session lifetime governed by your security policy, credentials rotate automatically
You're solo on a single AWS account and don't use SSO yetAccess keysSimplest setup; reasonable for a single-developer account
You're growing past one engineer and have multiple AWS accountsSet up IAM Identity Center, then SSOOne-time setup; pays back forever

The Escher wizard supports both. Pick the path that matches your situation.

If you don't have IAM Identity Center set up yet but have multiple AWS accounts (or plan to), enable it first. One-time setup:

  1. In the AWS Console (signed in as the management account root or admin), search for IAM Identity CenterEnable.
  2. Pick the AWS Region for the Identity Center instance (typically the same as your primary workload region).
  3. Add yourself as a user (Identity Center will email you to set a password and TOTP).
  4. Create a permission set for Escher — start with ReadOnlyAccess (an AWS-managed policy).
  5. Assign yourself the permission set on each AWS account you want Escher to see.
  6. Copy your Start URL from the Identity Center dashboard — looks like https://<your-org>.awsapps.com/start/.

Then go to Escher's onboarding wizard, Step 6 (Connect AWS) and run:

bash
# 1. Wizard prompts for SSO Start URL, region, profile name.
#    Use the Start URL from step 6 above. Pick any profile name (e.g. "escher").
aws configure sso

# 2. Opens a browser. Authenticate against Identity Center.
aws sso login --profile escher

# 3. Verifies the session is active.
aws sts get-caller-identity --profile escher

Click Re-check in the Escher wizard. Continue to Azure unlocks.

Path B — Access keys (simplest, single-account)

If you have exactly one AWS account, no SSO, and aren't going to add more accounts soon, the access-keys path is fine. The Escher wizard supports it via the Change method link on the Connect AWS step.

Create a dedicated IAM user for Escher — keep it separate from your own admin user.

1. Create a read-only IAM user

In the AWS Console:

  1. IAM → Users → Create user
  2. Name: escher-readonly (or anything you prefer)
  3. Leave "Provide user access to the AWS Management Console" unchecked — this is a programmatic user only
  4. Attach policies directly → search for ReadOnlyAccess → tick → NextCreate user

2. Generate an access key

  1. Click into the new escher-readonly user
  2. Security credentials tab → Access keysCreate access key
  3. Pick Command Line Interface (CLI) → tick the confirmation → Next
  4. (Optional) tag it escher-laptop
  5. Create access key

WARNING

This is the only time you'll see the secret access key. Copy both values to a password manager before clicking Done. If you lose the secret, delete the key and generate a new one.

3. Configure the CLI

In the Escher wizard click >_ Open Terminal, then run:

bash
aws configure --profile escher

Paste the four values when prompted:

AWS Access Key ID:        AKIA...
AWS Secret Access Key:    ...
Default region name:      us-east-1     # or your primary region
Default output format:    json

Verify:

bash
aws sts get-caller-identity --profile escher
# Should print your account number and the escher-readonly Arn.

4. Re-check in Escher

Back in the wizard, click Re-check. The check passes, Continue to Azure unlocks.

After it works

The Escher wizard moves you to the Connect Azure step (skip it if you don't have Azure) and then drops you into the main app. See the Quickstart for the rest of the onboarding flow.

To manage profiles after onboarding — pause one, add another account, toggle which subscriptions are active — go to Settings → Profiles. See Switching Profiles.

Common pitfalls

SymptomFix
aws configure sso doesn't accept your Start URLURL must end in /start/. Copy it from the IAM Identity Center dashboard.
aws sso login opens browser but returns no tokenYou haven't been assigned a permission set on any account. Go back to Identity Center and assign yourself one.
aws sts get-caller-identity returns InvalidClientTokenId (access-keys path)Wrong key pasted, or the key has been rotated/deleted. Re-run aws configure --profile escher.
Escher's Re-check fails after CLI succeedsConfirm the profile name in the wizard matches what you used in aws configure. Check with aws configure list-profiles.
Cost data missing from scan resultsEnable Cost Explorer in the AWS Billing console once. There's a 24-hour activation lag before its API returns data.

What's next

  • Connect AWS — Full reference including the minimum IAM policy
  • Quickstart — Walk through the rest of onboarding
  • Connect Azure — Same flow for Azure (auto-discovers subscriptions)

Escher — Agentic CloudOps by Tessell

© 2026 Tessell, Inc.