DevBarDevBar

AWS Budget Monitoring

DevBar monitors AWS cost budgets across one or more accounts using the AWS Budgets API and STS for identity.

Single Account Setup

Open Settings → AWS → Accounts → Add Account and fill in the following fields:

Name

A friendly label for this account (e.g. Production).

Access Key ID

The AWS access key ID for your IAM user.

Secret Access Key

The corresponding secret access key.

Region

The AWS region where your budgets are managed (e.g. us-east-1).

The IAM user needs these permissions:

  • budgets:ViewBudget
  • sts:GetCallerIdentity
Tip: Create a dedicated read-only IAM user named devbar with only these two permissions. This limits blast radius if the key is ever exposed.

Multi-Account Setup

Add multiple accounts following the same steps above — each account appears independently in the AWS tab inside DevBar. You can enable or disable individual accounts at any time from the account list in Settings.

Budget data for each account is fetched separately, so a misconfigured account does not affect the others.

STS AssumeRole

If you have credentials in one account and want to monitor other accounts without creating IAM users in each, use IAM role assumption. In the account edit sheet, fill in the Assume Role ARN field:

arn:aws:iam::TARGET_ACCOUNT_ID:role/DevBarRole

Optionally set an External ID — required when the target account admin has added a trust condition for one.

The role in the target account needs:

  • budgets:ViewBudget
  • sts:GetCallerIdentity

The trust policy on that role must allow your source account to assume it:

{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Principal": {
      "AWS": "arn:aws:iam::SOURCE_ACCOUNT_ID:user/devbar"
    },
    "Action": "sts:AssumeRole"
  }]
}

Replace SOURCE_ACCOUNT_ID with your source AWS account ID and adjust the principal to match your IAM user or role ARN.

AWS Organizations Auto-Discovery

If your root or management account has the organizations:ListAccounts permission, use Auto-discover Org Accounts in the account edit sheet. DevBar lists all member accounts — select which ones to add. Each discovered account is pre-filled with its role ARN.

No Organizations access?That's fine. Add accounts manually using their role ARNs — provided by your platform or infra team. You do not need root account access to use AssumeRole.

Import from ~/.aws/config

Coming soon — DevBar will soon support importing named profiles with role_arn from ~/.aws/config automatically.

Troubleshooting

AccessDenied on AssumeRole

Check the trust policy on the target role — the Principal must include your source account (or user/role ARN).

InvalidClientTokenId

The access key ID or secret is wrong, or the key has been rotated. Re-enter the credentials in Settings → AWS → Accounts.

ExpiredTokenException

Temporary credentials expired. DevBar refreshes automatically every hour, but verify your system clock is synced (NTP).

Budget data not showing

Ensure the account has at least one budget created in the AWS Console — the Budgets API returns nothing if no budgets exist.