FigJam Diagram: AWS Lens — Cost and Resource Viewer (expires 2026-04-13)
AWS Lens is a self-hosted AWS cost and resource exploration tool deployed internally. It supports multiple named AWS profiles and provides a web UI for browsing costs, resources, and service usage.
aws-lensharbor.k3s.internal.strommen.systems/production/aws-lens| Port | 3000 (container) → 80 (service) |
| Health check | GET /api/health |
| CPU | request 100m / limit 500m |
| Memory | request 256Mi / limit 512Mi |
| Image pull | imagePullPolicy: Always (latest Harbor build) |
| Metrics | No ServiceMonitor — /api/health is a health check, not a Prometheus endpoint |
Credentials are stored in aws-lens-credentials secret (namespace: aws-lens). Do not commit to Git.
Default profile (billing user — aws-lens-billing):
kubectl -n aws-lens create secret generic aws-lens-credentials \
--from-literal=AWS_ACCESS_KEY_ID=<key-id> \
--from-literal=AWS_SECRET_ACCESS_KEY=<secret-access-key> \
--from-literal=AWS_DEFAULT_REGION=us-east-1
Access keys are output by
terraform/environments/aws— runterraform output aws_lens_billing_secret_access_keyafter provisioning.
Named profiles (full read-only user — aws-lens-readonly):
kubectl -n aws-lens patch secret aws-lens-credentials \
--type=merge -p '{"stringData":{"AWS_LENS_PROFILE_PROD":"{\"accessKeyId\":\"AKIA...\",\"secretAccessKey\":\"...\",\"region\":\"us-east-1\"}"}}'
Two IAM users are provisioned via terraform/environments/aws/aws-lens-billing.tf:
aws-lens-billing — Default ProfileScoped to billing and cost data only. No resource access.
| Permission | Actions |
|---|---|
| Cost Explorer | ce:GetCostAndUsage, ce:GetCostForecast, ce:GetUsageForecast, ce:GetDimensionValues, ce:GetTags, ce:ListCostAllocationTags, ce:DescribeCostCategoryDefinition, ce:ListCostCategoryDefinitions |
| Billing Portal | aws-portal:ViewBilling, aws-portal:ViewUsage |
| Budgets | budgets:ViewBudget, budgets:DescribeBudgetActionsForAccount |
| Identity | sts:GetCallerIdentity |
aws-lens-readonly — Named ProfilesFull read-only access across all AWS services. Used for resource browsing, drift detection, and Terraform state inspection.
| Service Area | Permissions |
|---|---|
| ACM / CloudFormation / CloudTrail | Describe*, List*, Get* |
| CloudWatch / Logs | Get*, List*, FilterLogEvents |
| Cost Explorer | Get*, List*, Describe* |
| EC2 / ECS / EKS / ELB | Describe* |
| ECR | Describe*, Get*, List*, BatchGetImage |
| IAM | Generate*, Get*, List*, Simulate* |
| KMS / Secrets Manager | Describe*, Get*, List* |
| Lambda / RDS / SNS / SQS / SSM | Get*, List*, Describe* |
| Route53 / S3 | Get*, List* |
| WAFv2 / SSO | Describe*, Get*, List* |
| STS | GetCallerIdentity, DecodeAuthorizationMessage |
Key access includes Terraform state bucket (k3s-homelab-tfstate-855878721457) for drift detection.
kubernetes/apps/aws-lens/aws-lens.yaml -- Namespace, Deployment, Service, IngressRoute
terraform/environments/aws/
aws-lens-billing.tf -- both IAM users, policies, and access key outputs