Skip to main content
All CollectionsAdding an account to Uniskai
Updating Your AWS Account Role Using a CloudFormation Stack
Updating Your AWS Account Role Using a CloudFormation Stack

Learn how to update your AWS account with a role using a CloudFormation stack

Updated over a week ago

Step 1

Navigate to the 'Account Manager' tab.

Step 2

Select your desired AWS account by clicking on the 'DETAILS' button.

Step 3

Click on the 'Actions' button in the settings of the selected account.

Step 4

Select the 'Update arn-role' button.

Step 5

A new window for updating credentials will appear.

Note: For detailed information, refer to our user-friendly manual within the application.

5.1

Next, choose the Access Type (The selected type will be marked with a white dot on a blue background):

  • Read/Write - This option allows you to utilize all the available functions, including converting to spot, scheduling resources, removing unused resources, and right-sizing your resources.

  • Read-Only - This means you can only view all your resources and potential actions, but you won't be able to use the primary functionality.

5.2

In this guide, we've selected 'Read/write,' which allows full functionality.

5.3

Read /write policy look like this :

Read-write policy

{

"Version": "2012-10-17",

"Statement": [

{

"Sid": "VisualEditor0",

"Effect": "Allow",

"Action": [

"application-autoscaling:RegisterScalableTarget",

"autoscaling:CreateLaunchConfiguration",

"autoscaling:DeleteLaunchConfiguration",

"autoscaling:DescribeAutoScalingGroups",

"autoscaling:UpdateAutoScalingGroup",

"bedrock:GetAgent",

"bedrock:GetAgentActionGroup",

"bedrock:GetAgentAlias",

"bedrock:GetAgentVersion",

"bedrock:GetCustomModel",

"bedrock:GetDataSource",

"bedrock:GetKnowledgeBase",

"bedrock:GetModelCustomizationJob",

"bedrock:GetModelInvocationLoggingConfiguration",

"bedrock:GetProvisionedModelThroughput",

"bedrock:ListAgentActionGroups",

"bedrock:ListAgentAliases",

"bedrock:ListAgentKnowledgeBases",

"bedrock:ListAgentVersions",

"bedrock:ListAgents",

"bedrock:ListCustomModels",

"bedrock:ListDataSources",

"bedrock:ListKnowledgeBases",

"bedrock:ListModelCustomizationJobs",

"bedrock:ListProvisionedModelThroughputs",

"bedrock:ListTagsForResource",

"ce:DescribeCostCategoryDefinition",

"ce:GetCostAndUsage",

"ce:GetCostAndUsageWithResources",

"ce:GetCostForecast",

"ce:GetDimensionValues",

"ce:GetReservationCoverage",

"ce:GetReservationPurchaseRecommendation",

"ce:GetReservationUtilization",

"ce:GetRightsizingRecommendation",

"ce:GetSavingsPlansCoverage",

"ce:GetSavingsPlansPurchaseRecommendation",

"ce:GetSavingsPlansUtilization",

"ce:GetSavingsPlansUtilizationDetails",

"ce:GetTags",

"ce:GetUsageForecast",

"ce:ListCostCategoryDefinitions",

"cloudformation:UpdateStack",

"compute-optimizer:GetEBSVolumeRecommendations",

"compute-optimizer:GetEnrollmentStatus",

"compute-optimizer:GetLambdaFunctionRecommendations",

"compute-optimizer:UpdateEnrollmentStatus",

"cur:DescribeReportDefinitions",

"ebs:ListChangedBlocks",

"ebs:ListSnapshotBlocks",

"ec2:AttachVolume",

"ec2:CancelSpotInstanceRequests",

"ec2:CreateImage",

"ec2:CreateLaunchTemplate",

"ec2:CreateRoute",

"ec2:CreateSnapshot",

"ec2:CreateSnapshots",

"ec2:CreateTags",

"ec2:CreateVolume",

"ec2:DeleteSnapshot",

"ec2:DeleteVolume",

"ec2:DeregisterImage",

"ec2:DescribeImages",

"ec2:DescribeInstances",

"ec2:DescribeLaunchTemplateVersions",

"ec2:DescribeLaunchTemplates",

"ec2:DescribeRouteTables",

"ec2:DescribeSnapshots",

"ec2:DescribeSpotInstanceRequests",

"ec2:DescribeSpotPriceHistory",

"ec2:DescribeVolumes",

"ec2:DetachVolume",

"ec2:GetLaunchTemplateData",

"ec2:ModifyInstanceAttribute",

"ec2:ModifyNetworkInterfaceAttribute",

"ec2:ModifyVolume",

"ec2:PurchaseReservedInstancesOffering",

"ec2:ReleaseAddress",

"ec2:RequestSpotInstances",

"ec2:RunInstances",

"ec2:StartInstances",

"ec2:StopInstances",

"ec2:TerminateInstances",

"ecs:DeleteService",

"ecs:RegisterTaskDefinition",

"ecs:UpdateContainerInstancesState",

"ecs:UpdateService",

"eks:CreateNodegroup",

"eks:DeleteNodegroup",

"eks:DescribeNodegroup",

"eks:ListClusters",

"eks:UpdateNodegroupConfig",

"elasticache:PurchaseReservedCacheNodesOffering",

"elasticloadbalancing:DeregisterTargets",

"elasticloadbalancing:DescribeInstanceHealth",

"elasticloadbalancing:DescribeLoadBalancers",

"elasticloadbalancing:DescribeTargetGroups",

"elasticloadbalancing:DescribeTargetHealth",

"elasticloadbalancing:ModifyTargetGroup",

"elasticloadbalancing:RegisterInstancesWithLoadBalancer",

"elasticloadbalancing:RegisterTargets",

"es:PurchaseReservedElasticsearchInstanceOffering",

"es:PurchaseReservedInstanceOffering",

"iam:CreateServiceLinkedRole",

"iam:PassRole",

"iam:PutRolePolicy",

"kms:CreateGrant",

"kms:Decrypt",

"kms:Encrypt",

"kms:GenerateDataKey*",

"kms:ReEncrypt*",

"lambda:DeleteFunction",

"lambda:DeleteProvisionedConcurrencyConfig",

"lambda:GetFunction",

"lambda:GetPolicy",

"lambda:GetProvisionedConcurrencyConfig",

"lambda:ListTags",

"lambda:PublishVersion",

"lambda:PutProvisionedConcurrencyConfig",

"lambda:UpdateAlias",

"lambda:UpdateFunctionCode",

"lambda:UpdateFunctionConfiguration",

"logs:DeleteLogGroup",

"memorydb:DescribeReservedNodes",

"memorydb:DescribeReservedNodesOfferings",

"memorydb:DescribeSnapshots",

"memorydb:DescribeSubnetGroups",

"memorydb:PurchaseReservedNodesOffering",

"pricing:*",

"rds:DescribeDBInstances",

"rds:PurchaseReservedDBInstancesOffering",

"rds:StartDBCluster",

"rds:StartDBInstance",

"rds:StopDBCluster",

"rds:StopDBInstance",

"rds:ModifyDBInstance",

"redshift:DescribeClusters",

"redshift:PauseCluster",

"redshift:PurchaseReservedNodeOffering",

"redshift:ResumeCluster",

"sagemaker:StartNotebookInstance",

"sagemaker:StopNotebookInstance",

"savingsplans:CreateSavingsPlan",

"elasticache:ModifyReplicationGroup",

"es:UpdateDomainConfig"

],

"Resource": "*"

},

{

"Effect": "Allow",

"Action": [

"s3:GetObject"

],

"Resource": "arn:aws:s3:::%bucket_name%/*"

}

]

}

Read-only policy look like this :

Read only policy

{

"Version": "2012-10-17",

"Statement": [

{

"Sid": "VisualEditor0",

"Effect": "Allow",

"Action": [

"pricing:*",

"ce:DescribeCostCategoryDefinition",

"ce:GetRightsizingRecommendation",

"ce:GetCostAndUsage",

"ce:GetSavingsPlansUtilization",

"ce:GetReservationPurchaseRecommendation",

"ce:ListCostCategoryDefinitions",

"ce:GetCostForecast",

"ce:GetReservationUtilization",

"ce:GetSavingsPlansPurchaseRecommendation",

"ce:GetDimensionValues",

"ce:GetSavingsPlansUtilizationDetails",

"ce:GetCostAndUsageWithResources",

"ce:GetReservationCoverage",

"ce:GetSavingsPlansCoverage",

"ce:GetTags",

"ce:GetUsageForecast",

"cur:DescribeReportDefinitions",

"compute-optimizer:GetEBSVolumeRecommendations",

"compute-optimizer:GetLambdaFunctionRecommendations",

"ebs:ListSnapshotBlocks",

"ebs:ListChangedBlocks",

"bedrock:GetModelInvocationLoggingConfiguration",

"bedrock:ListProvisionedModelThroughputs",

"bedrock:GetProvisionedModelThroughput",

"bedrock:ListModelCustomizationJobs",

"bedrock:GetModelCustomizationJob",

"bedrock:ListCustomModels",

"bedrock:GetCustomModel",

"bedrock:ListKnowledgeBases",

"bedrock:GetKnowledgeBase",

"bedrock:ListAgents",

"bedrock:GetAgent",

"bedrock:ListDataSources",

"bedrock:GetDataSource",

"bedrock:ListAgentAliases",

"bedrock:GetAgentAlias",

"bedrock:ListAgentVersions",

"bedrock:GetAgentVersion",

"bedrock:ListAgentActionGroups",

"bedrock:GetAgentActionGroup",

"bedrock:ListAgentKnowledgeBases",

"bedrock:ListTagsForResource",

"memorydb:DescribeSnapshots",

"memorydb:DescribeSubnetGroups",

"memorydb:DescribeReservedNodes"

],

"Resource": "*"

},

{

"Effect": "Allow",

"Action": [

"s3:GetObject"

],

"Resource": "arn:aws:s3:::%bucket_name%/*"

}

]

}

5.4

Next, choose 'Connection' (the selected connection will be indicated by a white dot on a blue background):

  • For CloudFormation stack, the ARN role will be automatically generated by the CloudFormation stack. All you have to do is paste the created role into the corresponding field.

  • If you prefer a manual approach, you can create a role yourself using the External ID and Account ID provided below. This gives you complete control over creating the policy and ARN role.

Note: Currently, we're using the CloudFormation stack connection type with both read and write permissions.

5.5

Note: Do not refresh the page during role creation.

Click on 'Launch now.'

5.6

Sign in to the AWS console if you're not already signed in. Otherwise, you'll get redirected to the 'Create Stack' page.

5.7

Proceed to the Quick create stack page.

5.8

Scroll down the page, and make sure to tick the 'I acknowledge that AWS CloudFormation might create IAM resources' box in the Review tab. After that, click the 'Create stack' button.

5.9

You'll be directed to the next page.

5.10

Click 'Refresh' after 10–15 seconds. Once the Stack creation is complete, go to the ‘Outputs’ tab.

5.11

When 'CREATE_COMPLETED' appears in the left sidebar, copy the ARN role.

5.12

Return to Uniskai and paste the copied ARN role in the respective field.

5.13

Verify that all data is correct and click 'Connect account.'

Step 5

Your account has been successfully updated, and you can now view the updated account on the Account Manager page.

Did this answer your question?