Getting started

Getting started with IRIS

Connecting your first AWS account takes about 10 minutes. Here's the whole flow, end to end.

What you'll need

Admin (or IAM-write) access to the AWS account you want to connect, and a browser tab open in the AWS Console alongside this guide.

The 30-second overview

IRIS connects to AWS using a cross-account IAM role in your account that trusts our scanner. We never ask for your AWS access keys. The role we assume is read-only — IRIS cannot create, modify, or delete anything in your infrastructure.

The setup is four steps: sign up, create the role, paste the role ARN into IRIS, wait for the first scan.

1. Create your IRIS account

Head to irislabs.co.uk/login and sign up with your work email.
Verify your email and complete the onboarding to land on your dashboard.

2. Open the connection wizard

From the sidebar, go to Settings → Account Connections.
Click Add account. The wizard will display two values you need:

Principal ARN — the IRIS scanner ARN that should be allowed to assume your role.
External ID — a one-time secret that scopes the role assumption to your IRIS organisation.

Copy these exactly

Both values are case-sensitive. Use the copy buttons in the wizard rather than typing them by hand — a typo here is the #1 cause of ASSUME_ROLE_FAILED.

3. Create the IAM role in AWS

In a new tab, open the AWS Console for the account you want to connect.

Go to IAM → Roles → Create role.
Choose Custom trust policy and paste the trust policy from the IRIS wizard. It will reference the Principal ARN and External ID from step 2.
On the permissions step, paste in the IrisReadOnlyPolicy JSON from the wizard. This grants Get*, Describe*, and List* across the services IRIS scans — nothing else.
Name the role IrisScannerRole. Click Create role.
Open the new role and copy its Role ARN from the summary at the top.

4. Paste the Role ARN into IRIS

Back in the IRIS wizard, paste the Role ARN into the field provided.
Pick the regions you want to scan (defaults are usually fine).
Click Verify & connect. IRIS attempts the role assumption immediately. If it works, you're done.

What if verification fails?

Each error has a clear remediation. See Troubleshooting for the full list — most issues are a missing External ID or a Principal ARN typo.

Wait for the first scan

Once connected, IRIS kicks off an initial scan across your selected regions. The dashboard populates incrementally as services finish scanning. A full first scan typically takes 1–3 minutes; Cost Explorer data can take up to 24 hours to surface for brand-new AWS accounts.

Optional: connect AI providers

If you also use OpenAI or Anthropic, you can pull their usage and cost data into the same dashboard:

Go to Settings → AI Providers.
Connect an OpenAI admin key (with usage.read and billing.read scopes) and/or an Anthropic admin key.
Head to the AI Spend page to see your spend break down by model, project, user, and API key.

Set a budget while you're here

Even one budget at the org level is a huge win. Pick a monthly threshold ~10% above your typical spend and add your email — IRIS will alert you the moment you trend toward going over. See Budgets & alerts.

What to do next

Dashboard overview — get oriented in the cards, charts, and breakdowns.
Budgets & alerts — set your first threshold and connect Slack/Teams.
Ask IRIS — try a few plain-English questions of your data.