Skip to main content
All CollectionsAdding an account to Uniskai
Updating Your AWS Account Role Using a CloudFormation Stack
Updating Your AWS Account Role Using a CloudFormation Stack

Learn how to update your AWS account with a role using a CloudFormation stack

Updated over a week ago

Step 1

Navigate to the 'Account Manager' tab.

Step 2

Select your desired AWS account by clicking on the 'DETAILS' button.

Step 3

Click on the 'Actions' button in the settings of the selected account.

Step 4

Select the 'Update arn-role' button.

Step 5

A new window for updating credentials will appear.

Note: For detailed information, refer to our user-friendly manual within the application.

5.1

Next, choose the Access Type (The selected type will be marked with a white dot on a blue background):

  • Read/Write - This option allows you to utilize all the available functions, including converting to spot, scheduling resources, removing unused resources, and right-sizing your resources.

  • Read-Only - This means you can only view all your resources and potential actions, but you won't be able to use the primary functionality.

5.2

In this guide, we've selected 'Read/write,' which allows full functionality.

5.3

Read /write policy look like this :

Read-write policy

{

"Version": "2012-10-17",

"Statement": [

{

"Sid": "VisualEditor0",

"Effect": "Allow",

"Action": [

"application-autoscaling:RegisterScalableTarget",

"autoscaling:CreateLaunchConfiguration",

"autoscaling:DeleteLaunchConfiguration",

"autoscaling:DescribeAutoScalingGroups",

"autoscaling:UpdateAutoScalingGroup",

"bedrock:GetAgent",

"bedrock:GetAgentActionGroup",

"bedrock:GetAgentAlias",

"bedrock:GetAgentVersion",

"bedrock:GetCustomModel",

"bedrock:GetDataSource",

"bedrock:GetKnowledgeBase",

"bedrock:GetModelCustomizationJob",

"bedrock:GetModelInvocationLoggingConfiguration",

"bedrock:GetProvisionedModelThroughput",

"bedrock:ListAgentActionGroups",

"bedrock:ListAgentAliases",

"bedrock:ListAgentKnowledgeBases",

"bedrock:ListAgentVersions",

"bedrock:ListAgents",

"bedrock:ListCustomModels",

"bedrock:ListDataSources",

"bedrock:ListKnowledgeBases",

"bedrock:ListModelCustomizationJobs",

"bedrock:ListProvisionedModelThroughputs",

"bedrock:ListTagsForResource",

"ce:DescribeCostCategoryDefinition",

"ce:GetCostAndUsage",

"ce:GetCostAndUsageWithResources",

"ce:GetCostForecast",

"ce:GetDimensionValues",

"ce:GetReservationCoverage",

"ce:GetReservationPurchaseRecommendation",

"ce:GetReservationUtilization",

"ce:GetRightsizingRecommendation",

"ce:GetSavingsPlansCoverage",

"ce:GetSavingsPlansPurchaseRecommendation",

"ce:GetSavingsPlansUtilization",

"ce:GetSavingsPlansUtilizationDetails",

"ce:GetTags",

"ce:GetUsageForecast",

"ce:ListCostCategoryDefinitions",

"cloudformation:UpdateStack",

"compute-optimizer:GetEBSVolumeRecommendations",

"compute-optimizer:GetEnrollmentStatus",

"compute-optimizer:GetLambdaFunctionRecommendations",

"compute-optimizer:UpdateEnrollmentStatus",

"cur:DescribeReportDefinitions",

"ebs:ListChangedBlocks",

"ebs:ListSnapshotBlocks",

"ec2:AttachVolume",

"ec2:CancelSpotInstanceRequests",

"ec2:CreateImage",

"ec2:CreateLaunchTemplate",

"ec2:CreateRoute",

"ec2:CreateSnapshot",

"ec2:CreateSnapshots",

"ec2:CreateTags",

"ec2:CreateVolume",

"ec2:DeleteSnapshot",

"ec2:DeleteVolume",

"ec2:DeregisterImage",

"ec2:DescribeImages",

"ec2:DescribeInstances",

"ec2:DescribeLaunchTemplateVersions",

"ec2:DescribeLaunchTemplates",

"ec2:DescribeRouteTables",

"ec2:DescribeSnapshots",

"ec2:DescribeSpotInstanceRequests",

"ec2:DescribeSpotPriceHistory",

"ec2:DescribeVolumes",

"ec2:DetachVolume",

"ec2:GetLaunchTemplateData",

"ec2:ModifyInstanceAttribute",

"ec2:ModifyNetworkInterfaceAttribute",

"ec2:ModifyVolume",

"ec2:PurchaseReservedInstancesOffering",

"ec2:ReleaseAddress",

"ec2:RequestSpotInstances",

"ec2:RunInstances",

"ec2:StartInstances",

"ec2:StopInstances",

"ec2:TerminateInstances",

"ecs:DeleteService",

"ecs:RegisterTaskDefinition",

"ecs:UpdateContainerInstancesState",

"ecs:UpdateService",

"eks:CreateNodegroup",

"eks:DeleteNodegroup",

"eks:DescribeNodegroup",

"eks:ListClusters",

"eks:UpdateNodegroupConfig",

"elasticache:PurchaseReservedCacheNodesOffering",

"elasticloadbalancing:DeregisterTargets",

"elasticloadbalancing:DescribeInstanceHealth",

"elasticloadbalancing:DescribeLoadBalancers",

"elasticloadbalancing:DescribeTargetGroups",

"elasticloadbalancing:DescribeTargetHealth",

"elasticloadbalancing:ModifyTargetGroup",

"elasticloadbalancing:RegisterInstancesWithLoadBalancer",

"elasticloadbalancing:RegisterTargets",

"es:PurchaseReservedElasticsearchInstanceOffering",

"es:PurchaseReservedInstanceOffering",

"iam:CreateServiceLinkedRole",

"iam:PassRole",

"iam:PutRolePolicy",

"kms:CreateGrant",

"kms:Decrypt",

"kms:Encrypt",

"kms:GenerateDataKey*",

"kms:ReEncrypt*",

"lambda:DeleteFunction",

"lambda:DeleteProvisionedConcurrencyConfig",

"lambda:GetFunction",

"lambda:GetPolicy",

"lambda:GetProvisionedConcurrencyConfig",

"lambda:ListTags",

"lambda:PublishVersion",

"lambda:PutProvisionedConcurrencyConfig",

"lambda:UpdateAlias",

"lambda:UpdateFunctionCode",

"lambda:UpdateFunctionConfiguration",

"logs:DeleteLogGroup",

"memorydb:DescribeReservedNodes",

"memorydb:DescribeReservedNodesOfferings",

"memorydb:DescribeSnapshots",

"memorydb:DescribeSubnetGroups",

"memorydb:PurchaseReservedNodesOffering",

"pricing:*",

"rds:DescribeDBInstances",

"rds:PurchaseReservedDBInstancesOffering",

"rds:StartDBCluster",

"rds:StartDBInstance",

"rds:StopDBCluster",

"rds:StopDBInstance",

"rds:ModifyDBInstance",

"redshift:DescribeClusters",

"redshift:PauseCluster",

"redshift:PurchaseReservedNodeOffering",

"redshift:ResumeCluster",

"sagemaker:StartNotebookInstance",

"sagemaker:StopNotebookInstance",

"savingsplans:CreateSavingsPlan",

"elasticache:ModifyReplicationGroup",

"es:UpdateDomainConfig"

],

"Resource": "*"

},

{

"Effect": "Allow",

"Action": [

"s3:GetObject"

],

"Resource": "arn:aws:s3:::%bucket_name%/*"

}

]

}

Read-only policy look like this :

Read only policy

{

"Version": "2012-10-17",

"Statement": [

{

"Sid": "VisualEditor0",

"Effect": "Allow",

"Action": [

"pricing:*",

"ce:DescribeCostCategoryDefinition",

"ce:GetRightsizingRecommendation",

"ce:GetCostAndUsage",

"ce:GetSavingsPlansUtilization",

"ce:GetReservationPurchaseRecommendation",

"ce:ListCostCategoryDefinitions",

"ce:GetCostForecast",

"ce:GetReservationUtilization",

"ce:GetSavingsPlansPurchaseRecommendation",

"ce:GetDimensionValues",

"ce:GetSavingsPlansUtilizationDetails",

"ce:GetCostAndUsageWithResources",

"ce:GetReservationCoverage",

"ce:GetSavingsPlansCoverage",

"ce:GetTags",

"ce:GetUsageForecast",

"cur:DescribeReportDefinitions",

"compute-optimizer:GetEBSVolumeRecommendations",

"compute-optimizer:GetLambdaFunctionRecommendations",

"ebs:ListSnapshotBlocks",

"ebs:ListChangedBlocks",

"bedrock:GetModelInvocationLoggingConfiguration",

"bedrock:ListProvisionedModelThroughputs",

"bedrock:GetProvisionedModelThroughput",

"bedrock:ListModelCustomizationJobs",

"bedrock:GetModelCustomizationJob",

"bedrock:ListCustomModels",

"bedrock:GetCustomModel",

"bedrock:ListKnowledgeBases",

"bedrock:GetKnowledgeBase",

"bedrock:ListAgents",

"bedrock:GetAgent",

"bedrock:ListDataSources",

"bedrock:GetDataSource",

"bedrock:ListAgentAliases",

"bedrock:GetAgentAlias",

"bedrock:ListAgentVersions",

"bedrock:GetAgentVersion",

"bedrock:ListAgentActionGroups",

"bedrock:GetAgentActionGroup",

"bedrock:ListAgentKnowledgeBases",

"bedrock:ListTagsForResource",

"memorydb:DescribeSnapshots",

"memorydb:DescribeSubnetGroups",

"memorydb:DescribeReservedNodes"

],

"Resource": "*"

},

{

"Effect": "Allow",

"Action": [

"s3:GetObject"

],

"Resource": "arn:aws:s3:::%bucket_name%/*"

}

]

}
​

5.4

Next, choose 'Connection' (the selected connection will be indicated by a white dot on a blue background):

  • For CloudFormation stack, the ARN role will be automatically generated by the CloudFormation stack. All you have to do is paste the created role into the corresponding field.

  • If you prefer a manual approach, you can create a role yourself using the External ID and Account ID provided below. This gives you complete control over creating the policy and ARN role.

Note: We currently use the CloudFormation stack connection type with both read and write permissions.

5.5

Note: Do not refresh the page during role creation.

Click on the Select region field.

5.6

You can just select the region where you want to place the S3 bucket with CUR. If you already have an S3 bucket with CUR in some regions, we will not create a new one, we will use your S3 bucket.

5.7

Click the β€œLaunch now” button.

If you return to Uniskai while adding an account, you will see a pop-up window

5.8

Sign in to the AWS console if you're not already signed in. Otherwise, you'll get redirected to the 'Create Stack' page.

5.9

You will see the Quick Create stack page.

5.10
​

Scroll down to the bottom of the page and select the checkboxes
​

5.11

Navigate to the next page:
​

5.12
​

Your account has been successfully updated, and you can now view the updated account on the Account Manager page.

Related Articles
Adding an AWS read-write account with a CloudFormation Stack
How to switch AWS account role to Read/write with Cloudfomation stack
Adding an AWS Read/Write account with a Manual Connection
Adding an AWS read-only account with a CloudFormation Stack
Adding an AWS read-only account with a Manual Connection
Did this answer your question?