AWS — Setup

Overview

In this guide you will:

Open the PhoenixVPS CloudFormation launch stack from the app.
Review the scoped IAM user the stack will create.
Acknowledge the IAM capability and create the stack.
End with a single Base64 credential that you hand to the app in AWS — Key handoff.

This guide creates only the scoped credential — PhoenixVPS never asks for your AWS root or admin keys, and the credential it creates has programmatic access only (no console login).

Prerequisites

Before you start, make sure you have:

An AWS account, and you are signed in to the AWS console in your browser.
The PhoenixVPS app installed on your device.

Step 1 — Open the launch stack from PhoenixVPS

In PhoenixVPS, open the Amazon Web Services panel. Choose your AWS Region from the dropdown at the top, then click Connect AWS Account. The app opens your browser at the AWS CloudFormation Quick create stack screen, with the template and stack name already filled in for you.

What you see: A page titled Quick create stack with a Template panel near the top. If your browser opens to the AWS sign-in page instead, sign in first — AWS returns you to this screen afterwards.

Step 2 — Confirm you are on the right stack

Check the Quick create stack page shows these values before continuing:

Stack description: “PhoenixVps scoped access. Creates a least-privilege IAM user for VPN provisioning. No root credentials are required or used.”
Stack name: PhoenixVps-Access (already filled in — leave it unchanged).
Parameters: “There are no parameters defined in your template” — there is nothing for you to fill in here.

What you see: The description and the pre-filled stack name confirm this is the PhoenixVPS template. You do not need to touch Tags, Permissions, or any of the optional sections.

Step 3 — Review the scoped permissions

This stack creates one IAM user named phoenixvps-provisioner. It is deliberately limited:

The credential can	The credential cannot
Create and delete the EC2 instance, security group, and key pair that PhoenixVPS tags with `ManagedBy=PhoenixVps`	Touch any resource it did not create (untagged or tagged otherwise)
Manage only those tagged resources (start, stop, terminate)	Read your billing data, list other services, or create further IAM users
Be used programmatically only	Log in to the AWS console

To revoke everything later, you delete this stack — see AWS — Key handoff.

Step 4 — Acknowledge the IAM capability

Scroll to the Capabilities panel at the bottom. It states that the template creates IAM resources (AWS::IAM::AccessKey and AWS::IAM::User).

Tick the checkbox labelled “I acknowledge that AWS CloudFormation might create IAM resources with customised names.”

What you see: The checkbox becomes ticked. The Create stack button to its right is now enabled.

Step 5 — Create the stack and wait for the three resources

Click the Create stack button in the bottom-right corner.

What you see: The page switches to the stack page for PhoenixVps-Access. Near the top is a row of tabs. From left to right they read:

Stack info · Events · Resources · Outputs · Parameters · Template · Changesets · Git sync

You start on the Events tab, which shows the deployment progress. Stay on this tab and wait while AWS creates the three things the template defines:

AppUser — the phoenixvps-provisioner user
AppPolicy — its scoped permissions
AppAccessKey — the access key the app will use

Each one moves from In progress to Complete (shown in green). This usually takes under a minute. When all three read Complete, the credential is ready — move on to the key handoff.

Next step

Go to AWS — Key handoff to copy the credential from the stack’s Outputs tab and paste it into PhoenixVPS.