All Collections
Adding an account to Uniskai
Adding an AWS Account with a Cross-Account Role Connection
Adding an AWS Account with a Cross-Account Role Connection

Learn how to add an AWS account with a cross-account role connection

Updated over a week ago

Step 1

Navigate to the ‘Account manager’ tab.

If you don't have any accounts, your Account Manager menu will appear as shown below. Click the ‘Add environment’ button.

If you have existing accounts, your Account Manager menu will display as shown below. Click the ‘Add environment’ button.


Step 2

Click on the AWS (Amazon Web Services) button.

Step 3

Click on the ‘Cross Account Role’ (which allows access through IAM roles) button.

Step 4

4.1

You will be directed to the ‘Cross-account role connection’ page.

4.2

In the first field, enter the Account name. You can use a specific name or it will be named by default as ‘AWS,’ with the specific name not exceeding 32 characters.

4.3

Next, select the Access type:

  • Read/write: Allows you to use all functions such as converting to spot, scheduling resources, removing unused resources, and right-sizing your resources.

  • Read-only: Allows you to only view your resources and possible actions but does not provide access to the main functionality.

Read /write policy look like this :

Read-write policy

{

"Version": "2012-10-17",

"Statement": [

{

"Sid": "VisualEditor0",

"Effect": "Allow",

"Action": [

"ecs:DeleteService",

"ecs:RegisterTaskDefinition",

"eks:DeleteNodegroup",

"ecs:UpdateService",

"application-autoscaling:RegisterScalableTarget",

"eks:CreateNodegroup",

"ecs:UpdateContainerInstancesState",

"pricing:*",

"ce:DescribeCostCategoryDefinition",

"ce:GetRightsizingRecommendation",

"ce:GetCostAndUsage",

"ce:GetSavingsPlansUtilization",

"ce:GetReservationPurchaseRecommendation",

"ce:ListCostCategoryDefinitions",

"ce:GetCostForecast",

"ce:GetReservationUtilization",

"ce:GetSavingsPlansPurchaseRecommendation",

"ce:GetDimensionValues",

"ce:GetSavingsPlansUtilizationDetails",

"ce:GetCostAndUsageWithResources",

"ce:GetReservationCoverage",

"ce:GetSavingsPlansCoverage",

"ce:GetTags",

"ce:GetUsageForecast",

"ec2:StartInstances",

"ec2:StopInstances",

"eks:DescribeNodegroup",

"eks:ListClusters",

"eks:UpdateNodegroupConfig",

"rds:DescribeDBInstances",

"rds:StartDBCluster",

"rds:StartDBInstance",

"rds:StopDBCluster",

"rds:StopDBInstance",

"redshift:DescribeClusters",

"redshift:PauseCluster",

"redshift:ResumeCluster",

"savingsplans:CreateSavingsPlan",

"es:PurchaseReservedInstanceOffering",

"redshift:PurchaseReservedNodeOffering",

"elasticache:PurchaseReservedCacheNodesOffering",

"ec2:PurchaseReservedInstancesOffering",

"es:PurchaseReservedElasticsearchInstanceOffering",

"rds:PurchaseReservedDBInstancesOffering",

"acm:AddTagsToCertificate",

"acm:RemoveTagsFromCertificate",

"apigateway:DELETE",

"apigateway:POST",

"appmesh:TagResource",

"appmesh:UntagResource",

"autoscaling:CreateOrUpdateTags",

"autoscaling:DeleteTags",

"cloudfront:TagResource",

"cloudfront:UntagResource",

"cloudwatch:TagResource",

"cloudwatch:UntagResource",

"cognito-identity:TagResource",

"cognito-identity:UntagResource",

"ec2:DeleteTags",

"ecr:TagResource",

"ecr:UntagResource",

"ecs:TagResource",

"ecs:UntagResource",

"eks:TagResource",

"eks:UntagResource",

"elasticache:AddTagsToResource",

"elasticache:RemoveTagsFromResource",

"elasticbeanstalk:AddTags",

"elasticbeanstalk:RemoveTags",

"elasticfilesystem:CreateTags",

"elasticfilesystem:DeleteTags",

"elasticfilesystem:TagResource",

"elasticfilesystem:UntagResource",

"elasticloadbalancing:AddTags",

"elasticloadbalancing:RemoveTags",

"es:AddTags",

"es:RemoveTags",

"fsx:TagResource",

"fsx:UntagResource",

"iam:TagRole",

"iam:TagUser",

"iam:UntagRole",

"iam:UntagUser",

"kinesis:AddTagsToStream",

"kinesis:RemoveTagsFromStream",

"kms:TagResource",

"kms:UntagResource",

"lambda:TagResource",

"lambda:UntagResource",

"rds:AddTagsToResource",

"rds:RemoveTagsFromResource",

"redshift:CreateTags",

"redshift:DeleteTags",

"route53:ChangeTagsForResource",

"route53domains:DeleteTagsForDomain",

"route53domains:UpdateTagsForDomain",

"s3:DeleteJobTagging",

"s3:DeleteObjectTagging",

"s3:DeleteObjectVersionTagging",

"s3:PutBucketTagging",

"s3:PutJobTagging",

"s3:PutObjectTagging",

"s3:PutObjectVersionTagging",

"s3:ReplicateTags",

"tag:TagResources",

"tag:UntagResources",

"autoscaling:UpdateAutoScalingGroup",

"ec2:AttachVolume",

"ec2:CancelSpotInstanceRequests",

"ec2:CreateImage",

"ec2:CreateLaunchTemplate",

"ec2:CreateRoute",

"ec2:CreateSnapshot",

"ec2:CreateSnapshots",

"ec2:CreateTags",

"ec2:CreateVolume",

"ec2:DeleteSnapshot",

"ec2:DeleteVolume",

"ec2:DeregisterImage",

"ec2:DescribeImages",

"ec2:DescribeInstances",

"ec2:DescribeLaunchTemplateVersions",

"ec2:DescribeLaunchTemplates",

"ec2:DescribeRouteTables",

"ec2:DescribeSnapshots",

"ec2:DescribeSpotInstanceRequests",

"ec2:DescribeSpotPriceHistory",

"ec2:DescribeVolumes",

"ec2:DetachVolume",

"ec2:GetLaunchTemplateData",

"ec2:ModifyInstanceAttribute",

"ec2:ModifyNetworkInterfaceAttribute",

"ec2:RequestSpotInstances",

"ec2:RunInstances",

"ec2:TerminateInstances",

"elasticloadbalancing:DeregisterTargets",

"elasticloadbalancing:DescribeInstanceHealth",

"elasticloadbalancing:DescribeLoadBalancers",

"elasticloadbalancing:DescribeTargetGroups",

"elasticloadbalancing:DescribeTargetHealth",

"elasticloadbalancing:RegisterInstancesWithLoadBalancer",

"elasticloadbalancing:RegisterTargets",

"autoscaling:DescribeAutoScalingGroups",

"ec2:GetPaginator",

"ec2:ReleaseAddress",

"cloudformation:UpdateStack",

"elasticbeanstalk:UpdateTagsForResource",

"elasticloadbalancing:ModifyTargetGroup",

"compute-optimizer:GetEnrollmentStatus",

"compute-optimizer:GetEBSVolumeRecommendations",

"compute-optimizer:UpdateEnrollmentStatus",

"ec2:ModifyVolume",

"cur:DescribeReportDefinitions",

"lambda:UpdateFunctionCode",

"lambda:GetProvisionedConcurrencyConfig",

"lambda:ListTags",

"lambda:GetFunction",

"lambda:PutProvisionedConcurrencyConfig",

"lambda:DeleteProvisionedConcurrencyConfig",

"lambda:UpdateFunctionConfiguration",

"lambda:DeleteFunction",

"lambda:PublishVersion",

"lambda:GetPolicy",

"lambda:UpdateAlias",

"compute-optimizer:GetLambdaFunctionRecommendations",

"sns:TagResource",

"sns:UntagResource",

"mq:CreateTags",

"mq:DeleteTags",

"ses:UntagResource",

"ses:TagResource",

"events:TagResource",

"events:UntagResource",

"secretsmanager:UntagResource",

"secretsmanager:TagResource",

"codecommit:TagResource",

"codecommit:UntagResource",

"states:UntagResource",

"states:TagResource",

"appflow:UntagResource",

"appflow:TagResource",

"backup:TagResource",

"backup:UntagResource",

"logs:TagLogGroup",

"logs:UntagLogGroup",

"logs:DeleteLogGroup",

"iam:PassRole",

"iam:CreateServiceLinkedRole",

"iam:PutRolePolicy",

"kms:Encrypt",

"kms:Decrypt",

"kms:ReEncrypt*",

"kms:GenerateDataKey*",

"kms:CreateGrant",

"cassandra:Alter",

"cassandra:AlterMultiRegionResource",

"cassandra:TagResource",

"cassandra:TagMultiRegionResource",

"cassandra:UnTagMultiRegionResource",

"cassandra:UntagResource",

"cloudtrail:AddTags",

"cloudtrail:RemoveTags",

"dynamodb:TagResource",

"dynamodb:UntagResource",

"glacier:AddTagsToVault",

"glacier:RemoveTagsFromVault",

"glue:TagResource",

"glue:UntagResource",

"kafka:TagResource",

"kafka:UntagResource",

"timestream:TagResource",

"timestream:UntagResource",

"sagemaker:AddTags",

"sagemaker:DeleteTags",

"sagemaker:StartNotebookInstance",

"sagemaker:StopNotebookInstance",

"sqs:TagQueue",

"sqs:UntagQueue",

"ebs:ListSnapshotBlocks",

"ebs:ListChangedBlocks"

],

"Resource": "*"

},

{

"Effect": "Allow",

"Action": [

"s3:GetObject"

],

"Resource": "arn:aws:s3:::%bucket_name%/*"

}

]

}

Read-only policy look like this :

Read only policy

{

"Version": "2012-10-17",

"Statement": [

{

"Sid": "VisualEditor0",

"Effect": "Allow",

"Action": [

"pricing:*",

"ce:DescribeCostCategoryDefinition",

"ce:GetRightsizingRecommendation",

"ce:GetCostAndUsage",

"ce:GetSavingsPlansUtilization",

"ce:GetReservationPurchaseRecommendation",

"ce:ListCostCategoryDefinitions",

"ce:GetCostForecast",

"ce:GetReservationUtilization",

"ce:GetSavingsPlansPurchaseRecommendation",

"ce:GetDimensionValues",

"ce:GetSavingsPlansUtilizationDetails",

"ce:GetCostAndUsageWithResources",

"ce:GetReservationCoverage",

"ce:GetSavingsPlansCoverage",

"ce:GetTags",

"ce:GetUsageForecast",

"cur:DescribeReportDefinitions",

"compute-optimizer:GetEBSVolumeRecommendations",

"compute-optimizer:GetLambdaFunctionRecommendations",

"ebs:ListSnapshotBlocks",

"ebs:ListChangedBlocks"

],

"Resource": "*"

},

{

"Effect": "Allow",

"Action": [

"s3:GetObject"

],

"Resource": "arn:aws:s3:::%bucket_name%/*"

}

]

}

4.4

Then, select the Connection type (The chosen connection will be indicated by a white dot against a blue background.):

  • CloudFormation stack: ARN-role will be automatically created by the CloudFormation stack. All you need to do is paste the created role into the respective field.

  • Manual: You will manually create a role using the External ID and Account ID below, giving you full control over creating policies and ARN-roles.

4.4.1

To access the manual, click the ‘Read manual’ button in the ‘Cross-account role connection’ pop-up.

The manual will look like this:

If you want access for Read/write mode, click the corresponding button in the manual.

If you want access for Read-only mode, click the corresponding button in the manual.

If you want to connect manually, click the corresponding button in the manual.

If you want to connect via CloudFormation stack, click the corresponding button in the manual.

At the moment, we choose the CloudFormation stack. Otherwise, follow the manual steps.

4.4.2

After selecting CloudFormation stack, click the ‘Launch now’ button.

NOTE: DO NOT REFRESH THE PAGE DURING ROLE CREATION

4.4.2

Sign in to the AWS Console.

4.4.3

You will see the Quick create stack page.

4.4.4

Scroll down to the end of the page and check the ‘I acknowledge that AWS CloudFormation might create IAM resources’ box on the Review tab. Then, click the ‘Create stack’ button.

4.4.5

Navigate to the next page:

4.4.6

Click the ‘Refresh’ button after 10-15 seconds. Once the Stack creation is complete, head to the ‘Outputs’ tab.

4.4.7

Upon seeing the message "CREATE_COMPLETED" in the left sidebar, copy the ARN role.

4.5

Return to Uniskai and paste the copied ARN role into the corresponding field.

4.6

Verify that all the data is accurate and click the ‘Connect account’ button.

Step 5

Your account has been successfully connected. You can view the connected account on the Account manager page.

Did this answer your question?