Overview
This guide explains how to connect several AWS accounts to Uniskai at once using a CloudFormation StackSet, instead of adding each account individually. Uniskai generates a short set of commands that you run in AWS to create the connection across all targeted accounts. Use this method when you manage more than one AWS account.
How it works
Uniskai connects to each AWS account through a dedicated access role. A StackSet lets that role be created across many accounts in one operation. The flow has two stages:
Configure the connection in Uniskai (accounts, access level, region) and click Generate setup commands.
Run the generated commands in AWS (via AWS CloudShell). The commands create the StackSet and deploy it to each account, which creates the Uniskai access role in each one. Uniskai then detects each connection and marks the account as connected.
The StackSet uses the self-managed permissions model: the commands create a CloudFormation StackSet administration role in the account you run them from and an execution role in each target account, so CloudFormation can provision resources across accounts.
The objects involved in this setup:
Resource | Name / Type | Purpose |
StackSet administration role | AWSCloudFormationStackSetAdministrationRole | Lets CloudFormation manage the StackSet from the account you run the commands in. |
StackSet execution role | AWSCloudFormationStackSetExecutionRole, one per target account | Lets CloudFormation create resources in each target account. |
CloudFormation StackSet |
| Deploys the Uniskai access role across all targeted accounts. |
Access role | IAM role, one per connected account | The role Uniskai assumes in each account to read cost and inventory data, and to act if read-write. |
Access level determines what Uniskai can do once connected (this maps to the StackSet Mode parameter, rw or ro):
Read/write — "You will be able to actively save money and fix all issues." Full functionality, including optimization actions.
Read-only — "You will get full visibility of your cloud environment and optimization insights." Visibility and recommendations only.
Prerequisites
Before you start:
You have the account IDs of the AWS accounts you want to connect.
You can run AWS CLI commands in an environment (for example, AWS CloudShell) that can assume the
OrganizationAccountAccessRolein each target account — typically the organization's management account.
Note: Although Connect by account IDs does not require connecting a management account inside Uniskai, the generated bootstrap commands assume OrganizationAccountAccessRole in each target account. Run them from an account that has this cross-account access.
Setup steps
Stage 1: Configure the connection in Uniskai
Step 1 — Open the multiple-accounts screen
In Uniskai, open the Account Manager and start connecting multiple AWS accounts at once. The screen header says Connect multiple accounts at once.
Step 2 — Choose the connection method
Step 3 — Enter the account IDs
In the Account IDs field, enter the AWS account IDs to connect, one ID per line (for example,
712346814331).Uniskai validates the entries and shows a count, for example "2 valid account IDs entered."
Step 4 — Select the access level
Step 5 — Select the region
Open the Region dropdown and select the AWS Region where the CUR (Cost and Usage Report) bucket will be created (the default is
us-east-1). Cost and usage data for the connected accounts will be delivered to this bucket.
Step 6 — Generate the setup commands
Under Start connection, click Generate setup commands. The button becomes active once the required fields are valid.
Stage 2 — Run the setup commands in AWS
After generating, the screen switches to Run in AWS and shows the numbered command blocks plus a live connection status table.
The commands include a one-time token that expires in 1 hour — run them within that window. If the token expires, generate the commands again.
Step 7 — Open AWS CloudShell
Click Open AWS CloudShell to open a command session in your AWS environment. Sign in if prompted.
Step 8 — Run each command block in order
Copy each block using its copy button and paste it into CloudShell. Run them in order:
Copy each block with its copy button rather than retyping — the commands contain generated, one-time values.
Bootstrap IAM roles — creates the StackSet administration role (in the account you are running from) and an execution role in each target account. (This step appears only when these roles do not already exist; on later connections from the same account it may be omitted.)
Create StackSet — creates the Uniskai StackSet from the Uniskai-provided template, passing your chosen access level and the one-time connection tokens as parameters.
Deploy to accounts — creates the stack instances in each target account in the selected region, which creates the Uniskai access role there.
Step 9 — Watch the connection status
Return to the Uniskai screen. A message indicates "Waiting for CloudFormation to start your stack instances — this usually takes 2–5 minutes."
The status table updates per account. Each row moves from Pending to Connected, and the header shows progress such as "1 of 2 connected".
When an account is connected, a View environment → link appears in its Details column.
Results
After completing the steps:
The Uniskai access role exists in every targeted AWS account.
The status table shows each account as Connected, and the connected accounts are available from Account Manager.
Resources and cost data from those accounts become available across the Dashboard, Cloudview, and optimization features (subject to the chosen Access level).
Key notes / limitations
The setup token is one-time and expires in 1 hour. Generate and run the commands in the same session; regenerate if it expires.
Run the commands from an account with cross-account access. The bootstrap step assumes OrganizationAccountAccessRole in each target account.
Run the command blocks in order. Bootstrap (if shown) → Create StackSet → Deploy to accounts.
Copy commands with the copy buttons. They contain generated, one-time values; do not retype them.
Read-only access has no optimization actions. It provides visibility and recommendations only.
You can switch connection method at any time before generating the setup commands.
Deployment takes a few minutes. Stack instances typically take 2–5 minutes to start; accounts move from Pending to Connected as they complete.
Verifying it worked
The connection is confirmed when the status table shows each account as Connected (green) with a View environment → link, and the header reads "N of N connected".
To verify on the AWS side, you can run the following in CloudShell and confirm each instance reports SUCCEEDED:
aws cloudformation list-stack-instances --stack-set-name <your-stackset-name>
Look for StackInstanceStatus.DetailedStatus: "SUCCEEDED" and Status: "CURRENT" for each account. If an account stays Pending, confirm that all three command blocks ran without errors and that the account ID was included in the deploy command.









