Skip to main content

How to сonnect by account IDs. Multiple AWS

Add multiple AWS accounts via CloudFormation StackSet

Overview

This guide explains how to connect several AWS accounts to Uniskai at once using a CloudFormation StackSet, instead of adding each account individually. Uniskai generates a short set of commands that you run in AWS to create the connection across all targeted accounts. Use this method when you manage more than one AWS account.

How it works

Uniskai connects to each AWS account through a dedicated access role. A StackSet lets that role be created across many accounts in one operation. The flow has two stages:

  1. Configure the connection in Uniskai (accounts, access level, region) and click Generate setup commands.

  2. Run the generated commands in AWS (via AWS CloudShell). The commands create the StackSet and deploy it to each account, which creates the Uniskai access role in each one. Uniskai then detects each connection and marks the account as connected.

The StackSet uses the self-managed permissions model: the commands create a CloudFormation StackSet administration role in the account you run them from and an execution role in each target account, so CloudFormation can provision resources across accounts.

The objects involved in this setup:

Resource

Name / Type

Purpose

StackSet administration role

AWSCloudFormationStackSetAdministrationRole

Lets CloudFormation manage the StackSet from the account you run the commands in.

StackSet execution role

AWSCloudFormationStackSetExecutionRole, one per target account

Lets CloudFormation create resources in each target account.

CloudFormation StackSet

Uniskai-StackSet-…

Deploys the Uniskai access role across all targeted accounts.

Access role

IAM role, one per connected account

The role Uniskai assumes in each account to read cost and inventory data, and to act if read-write.

Access level determines what Uniskai can do once connected (this maps to the StackSet Mode parameter, rw or ro):

  • Read/write — "You will be able to actively save money and fix all issues." Full functionality, including optimization actions.

  • Read-only — "You will get full visibility of your cloud environment and optimization insights." Visibility and recommendations only.

Prerequisites

Before you start:

  • You have the account IDs of the AWS accounts you want to connect.

  • You can run AWS CLI commands in an environment (for example, AWS CloudShell) that can assume the OrganizationAccountAccessRole in each target account — typically the organization's management account.

Note: Although Connect by account IDs does not require connecting a management account inside Uniskai, the generated bootstrap commands assume OrganizationAccountAccessRole in each target account. Run them from an account that has this cross-account access.

Setup steps

Stage 1: Configure the connection in Uniskai

Step 1 — Open the multiple-accounts screen

  1. In Uniskai, open the Account Manager and start connecting multiple AWS accounts at once. The screen header says Connect multiple accounts at once.

Step 2 — Choose the connection method

  1. Under Connection method, select Connect by account IDs.

Step 3 — Enter the account IDs

  1. In the Account IDs field, enter the AWS account IDs to connect, one ID per line (for example, 712346814331).

  2. Uniskai validates the entries and shows a count, for example "2 valid account IDs entered."

Step 4 — Select the access level

  1. Under Access level, select Read/write (full functionality) or Read-only (visibility only).

Step 5 — Select the region

  1. Open the Region dropdown and select the AWS Region where the CUR (Cost and Usage Report) bucket will be created (the default is us-east-1). Cost and usage data for the connected accounts will be delivered to this bucket.

Step 6 — Generate the setup commands

  1. Under Start connection, click Generate setup commands. The button becomes active once the required fields are valid.

Stage 2 — Run the setup commands in AWS

After generating, the screen switches to Run in AWS and shows the numbered command blocks plus a live connection status table.

The commands include a one-time token that expires in 1 hour — run them within that window. If the token expires, generate the commands again.

Step 7 — Open AWS CloudShell

Click Open AWS CloudShell to open a command session in your AWS environment. Sign in if prompted.

Step 8 — Run each command block in order

Copy each block using its copy button and paste it into CloudShell. Run them in order:

Copy each block with its copy button rather than retyping — the commands contain generated, one-time values.

  1. Bootstrap IAM roles — creates the StackSet administration role (in the account you are running from) and an execution role in each target account. (This step appears only when these roles do not already exist; on later connections from the same account it may be omitted.)

  2. Create StackSet — creates the Uniskai StackSet from the Uniskai-provided template, passing your chosen access level and the one-time connection tokens as parameters.

  3. Deploy to accounts — creates the stack instances in each target account in the selected region, which creates the Uniskai access role there.

Step 9 — Watch the connection status

  1. Return to the Uniskai screen. A message indicates "Waiting for CloudFormation to start your stack instances — this usually takes 2–5 minutes."

  2. The status table updates per account. Each row moves from Pending to Connected, and the header shows progress such as "1 of 2 connected".

  3. When an account is connected, a View environment → link appears in its Details column.

Results

After completing the steps:

  • The Uniskai access role exists in every targeted AWS account.

  • The status table shows each account as Connected, and the connected accounts are available from Account Manager.

  • Resources and cost data from those accounts become available across the Dashboard, Cloudview, and optimization features (subject to the chosen Access level).

Key notes / limitations

  • The setup token is one-time and expires in 1 hour. Generate and run the commands in the same session; regenerate if it expires.

  • Run the commands from an account with cross-account access. The bootstrap step assumes OrganizationAccountAccessRole in each target account.

  • Run the command blocks in order. Bootstrap (if shown) → Create StackSet → Deploy to accounts.

  • Copy commands with the copy buttons. They contain generated, one-time values; do not retype them.

  • Read-only access has no optimization actions. It provides visibility and recommendations only.

  • You can switch connection method at any time before generating the setup commands.

  • Deployment takes a few minutes. Stack instances typically take 2–5 minutes to start; accounts move from Pending to Connected as they complete.

Verifying it worked

The connection is confirmed when the status table shows each account as Connected (green) with a View environment → link, and the header reads "N of N connected".

To verify on the AWS side, you can run the following in CloudShell and confirm each instance reports SUCCEEDED:

aws cloudformation list-stack-instances --stack-set-name <your-stackset-name>

Look for StackInstanceStatus.DetailedStatus: "SUCCEEDED" and Status: "CURRENT" for each account. If an account stays Pending, confirm that all three command blocks ran without errors and that the account ID was included in the deploy command.

Did this answer your question?