Skip to main content
All CollectionsAdding an account to Uniskai
Adding an AWS Account with a Manual Connection
Adding an AWS Account with a Manual Connection

Learn how to add an AWS account with a manual connection

Updated over a week ago

Step 1

Navigate to the ‘Account manager’ tab.

Your Account Manager menu will look like the picture below if you don't have any accounts. Click the ‘Add environment’ button.

Your Account Manager menu will display differently if you already have some accounts. Click the ‘Add environment’ button.

Choose AWS cloud service.

Step 2

Select ‘Cross Account Role.’

Step 3

You will be directed to the ‘Cross-account role connection’ page.

Step 4

In the first field, enter an Account name. You can use a specific name (up to 32 characters) or leave it as the default ‘AWS.’

Step 5

Choose the Access type (The selected type will be marked with a white dot on a blue background):

  • Read/write: This allows you to use all functions, such as converting to spot, scheduling resources, removing unused resources, and rightsizing your resources.

  • Read-only: This only lets you view your resources and possible actions, without the ability to use the main functionality.

Step 6

Select the Connection type (The selected type will be marked with a white dot on a blue background):

  • CloudFormation stack: The ARN-role is automatically created by the CloudFormation stack.

  • Manual: You'll manually create a role using the External ID and Account ID.

    Now choose a manual connection.

Step 7

Refer to our manual:

Click the ‘Read manual’ button in the ‘Cross-account role connection’ pop-up.

This is how the manual appears:

At this moment, we've chosen the Manual connection.

Step 8

Login to AWS Console


Step 9

In the search field type Cost and Usage Reports and click

Step 10

After the page is loaded, click on the button Create report

Step 11

Name your report, check to Include resource IDs and Refresh automatically boxes. Then click Next

You can enter any name but with our prefix. Example: "psl-cur-{new-report}".

The part in {bold} can be changed

Step 12

Click Configure


Step 13

Name S3 as psl-cur-%AWS-account-id% (paste your account ID instead of %AWS-account-id%), select the region where you want to save S3 bucket

Step 14

Check the box The following default policy will be applied to your bucket and click Save

Step 15

Name S3 path prefix as psl-cur, and check Overwrite existing report Radio button. Then check Amazon Athena box and click Next

Step 16

Scroll to the bottom of the page and click Create Report

Step 17

Go back to Uniskai and click on the Open AWS CONSOLE button

Step 18

Navigate to Policies on the sidebar and click Create policy


Policy Read-Write

{

"Version": "2012-10-17",

"Statement": [

{

"Sid": "VisualEditor0",

"Effect": "Allow",

"Action": [

"application-autoscaling:RegisterScalableTarget",

"autoscaling:CreateLaunchConfiguration",

"autoscaling:DeleteLaunchConfiguration",

"autoscaling:DescribeAutoScalingGroups",

"autoscaling:UpdateAutoScalingGroup",

"bedrock:GetAgent",

"bedrock:GetAgentActionGroup",

"bedrock:GetAgentAlias",

"bedrock:GetAgentVersion",

"bedrock:GetCustomModel",

"bedrock:GetDataSource",

"bedrock:GetKnowledgeBase",

"bedrock:GetModelCustomizationJob",

"bedrock:GetModelInvocationLoggingConfiguration",

"bedrock:GetProvisionedModelThroughput",

"bedrock:ListAgentActionGroups",

"bedrock:ListAgentAliases",

"bedrock:ListAgentKnowledgeBases",

"bedrock:ListAgentVersions",

"bedrock:ListAgents",

"bedrock:ListCustomModels",

"bedrock:ListDataSources",

"bedrock:ListKnowledgeBases",

"bedrock:ListModelCustomizationJobs",

"bedrock:ListProvisionedModelThroughputs",

"bedrock:ListTagsForResource",

"ce:DescribeCostCategoryDefinition",

"ce:GetCostAndUsage",

"ce:GetCostAndUsageWithResources",

"ce:GetCostForecast",

"ce:GetDimensionValues",

"ce:GetReservationCoverage",

"ce:GetReservationPurchaseRecommendation",

"ce:GetReservationUtilization",

"ce:GetRightsizingRecommendation",

"ce:GetSavingsPlansCoverage",

"ce:GetSavingsPlansPurchaseRecommendation",

"ce:GetSavingsPlansUtilization",

"ce:GetSavingsPlansUtilizationDetails",

"ce:GetTags",

"ce:GetUsageForecast",

"ce:ListCostCategoryDefinitions",

"cloudformation:UpdateStack",

"compute-optimizer:GetEBSVolumeRecommendations",

"compute-optimizer:GetEnrollmentStatus",

"compute-optimizer:GetLambdaFunctionRecommendations",

"compute-optimizer:UpdateEnrollmentStatus",

"cur:DescribeReportDefinitions",

"ebs:ListChangedBlocks",

"ebs:ListSnapshotBlocks",

"ec2:AttachVolume",

"ec2:CancelSpotInstanceRequests",

"ec2:CreateImage",

"ec2:CreateLaunchTemplate",

"ec2:CreateRoute",

"ec2:CreateSnapshot",

"ec2:CreateSnapshots",

"ec2:CreateTags",

"ec2:CreateVolume",

"ec2:DeleteSnapshot",

"ec2:DeleteVolume",

"ec2:DeregisterImage",

"ec2:DescribeImages",

"ec2:DescribeInstances",

"ec2:DescribeLaunchTemplateVersions",

"ec2:DescribeLaunchTemplates",

"ec2:DescribeRouteTables",

"ec2:DescribeSnapshots",

"ec2:DescribeSpotInstanceRequests",

"ec2:DescribeSpotPriceHistory",

"ec2:DescribeVolumes",

"ec2:DetachVolume",

"ec2:GetLaunchTemplateData",

"ec2:ModifyInstanceAttribute",

"ec2:ModifyNetworkInterfaceAttribute",

"ec2:ModifyVolume",

"ec2:PurchaseReservedInstancesOffering",

"ec2:ReleaseAddress",

"ec2:RequestSpotInstances",

"ec2:RunInstances",

"ec2:StartInstances",

"ec2:StopInstances",

"ec2:TerminateInstances",

"ecs:DeleteService",

"ecs:RegisterTaskDefinition",

"ecs:UpdateContainerInstancesState",

"ecs:UpdateService",

"eks:CreateNodegroup",

"eks:DeleteNodegroup",

"eks:DescribeNodegroup",

"eks:ListClusters",

"eks:UpdateNodegroupConfig",

"elasticache:PurchaseReservedCacheNodesOffering",

"elasticloadbalancing:DeregisterTargets",

"elasticloadbalancing:DescribeInstanceHealth",

"elasticloadbalancing:DescribeLoadBalancers",

"elasticloadbalancing:DescribeTargetGroups",

"elasticloadbalancing:DescribeTargetHealth",

"elasticloadbalancing:ModifyTargetGroup",

"elasticloadbalancing:RegisterInstancesWithLoadBalancer",

"elasticloadbalancing:RegisterTargets",

"es:PurchaseReservedElasticsearchInstanceOffering",

"es:PurchaseReservedInstanceOffering",

"iam:CreateServiceLinkedRole",

"iam:PassRole",

"iam:PutRolePolicy",

"kms:CreateGrant",

"kms:Decrypt",

"kms:Encrypt",

"kms:GenerateDataKey*",

"kms:ReEncrypt*",

"lambda:DeleteFunction",

"lambda:DeleteProvisionedConcurrencyConfig",

"lambda:GetFunction",

"lambda:GetPolicy",

"lambda:GetProvisionedConcurrencyConfig",

"lambda:ListTags",

"lambda:PublishVersion",

"lambda:PutProvisionedConcurrencyConfig",

"lambda:UpdateAlias",

"lambda:UpdateFunctionCode",

"lambda:UpdateFunctionConfiguration",

"logs:DeleteLogGroup",

"memorydb:DescribeReservedNodes",

"memorydb:DescribeReservedNodesOfferings",

"memorydb:DescribeSnapshots",

"memorydb:DescribeSubnetGroups",

"memorydb:PurchaseReservedNodesOffering",

"pricing:*",

"rds:DeleteDBInstance",

"rds:DescribeDBInstances",

"rds:PurchaseReservedDBInstancesOffering",

"rds:StartDBCluster",

"rds:StartDBInstance",

"rds:StopDBCluster",

"rds:StopDBInstance",

"rds:ModifyDBInstance",

"redshift:DescribeClusters",

"redshift:PauseCluster",

"redshift:PurchaseReservedNodeOffering",

"redshift:ResumeCluster",

"sagemaker:StartNotebookInstance",

"sagemaker:StopNotebookInstance",

"savingsplans:CreateSavingsPlan",

"elasticache:ModifyReplicationGroup",

"es:UpdateDomainConfig"

],

"Resource": "*"

},

{

"Effect": "Allow",

"Action": [

"s3:GetObject"

],

"Resource": "arn:aws:s3:::%bucket_name%/*"

}

]

}

Policy Tagging

{

"Version": "2012-10-17",

"Statement": [

{

"Sid": "VisualEditor0",

"Effect": "Allow",

"Action": [

"acm:AddTagsToCertificate",

"acm:RemoveTagsFromCertificate",

"apigateway:DELETE",

"apigateway:POST",

"appmesh:TagResource",

"appmesh:UntagResource",

"autoscaling:CreateOrUpdateTags",

"autoscaling:DeleteTags",

"cloudfront:TagResource",

"cloudfront:UntagResource",

"cloudwatch:TagResource",

"cloudwatch:UntagResource",

"cognito-identity:TagResource",

"cognito-identity:UntagResource",

"ec2:CreateTags",

"ec2:DeleteTags",

"ecr:TagResource",

"ecr:UntagResource",

"ecs:TagResource",

"ecs:UntagResource",

"eks:TagResource",

"eks:UntagResource",

"elasticache:AddTagsToResource",

"elasticache:RemoveTagsFromResource",

"elasticbeanstalk:AddTags",

"elasticbeanstalk:RemoveTags",

"elasticfilesystem:CreateTags",

"elasticfilesystem:DeleteTags",

"elasticfilesystem:TagResource",

"elasticfilesystem:UntagResource",

"elasticloadbalancing:AddTags",

"elasticloadbalancing:RemoveTags",

"es:AddTags",

"es:RemoveTags",

"fsx:TagResource",

"fsx:UntagResource",

"iam:TagRole",

"iam:TagUser",

"iam:UntagRole",

"iam:UntagUser",

"kinesis:AddTagsToStream",

"kinesis:RemoveTagsFromStream",

"kms:TagResource",

"kms:UntagResource",

"lambda:TagResource",

"lambda:UntagResource",

"rds:AddTagsToResource",

"rds:RemoveTagsFromResource",

"redshift:CreateTags",

"redshift:DeleteTags",

"route53:ChangeTagsForResource",

"route53domains:DeleteTagsForDomain",

"route53domains:UpdateTagsForDomain",

"s3:DeleteJobTagging",

"s3:DeleteObjectTagging",

"s3:DeleteObjectVersionTagging",

"s3:PutBucketTagging",

"s3:PutJobTagging",

"s3:PutObjectTagging",

"s3:PutObjectVersionTagging",

"s3:ReplicateTags",

"tag:TagResources",

"tag:UntagResources",

"ec2:DeleteVolume",

"ec2:DeregisterImage",

"logs:TagResource",

"logs:UntagResource",

"backup:TagResource",

"backup:UntagResource",

"cassandra:Alter",

"cassandra:AlterMultiRegionResource",

"cassandra:TagResource",

"cassandra:TagMultiRegionResource",

"cassandra:UnTagMultiRegionResource",

"cassandra:UntagResource",

"codecommit:TagResource",

"codecommit:UntagResource",

"cloudtrail:AddTags",

"cloudtrail:RemoveTags",

"dynamodb:TagResource",

"dynamodb:UntagResource",

"events:TagResource",

"events:UntagResource",

"glacier:AddTagsToVault",

"glacier:RemoveTagsFromVault",

"glue:TagResource",

"glue:UntagResource",

"kafka:TagResource",

"kafka:UntagResource",

"timestream:TagResource",

"timestream:UntagResource",

"sagemaker:AddTags",

"sagemaker:DeleteTags",

"mq:CreateTags",

"mq:DeleteTags",

"secretsmanager:TagResource",

"secretsmanager:UntagResource",

"ses:TagResource",

"ses:UntagResource",

"states:TagResource",

"states:UntagResource",

"sns:TagResource",

"sns:UntagResource",

"sqs:TagQueue",

"sqs:UntagQueue",

"appflow:TagResource",

"appflow:UntagResource",

"wafv2:TagResource",

"wafv2:UntagResource",

"elasticmapreduce:AddTags",

"elasticmapreduce:RemoveTags",

"emr-containers:TagResource",

"emr-containers:UntagResource",

"emr-serverless:TagResource",

"emr-serverless:UntagResource",

"bedrock:TagResource",

"bedrock:UntagResource",

"memorydb:TagResource",

"memorydb:UntagResource",

"elasticbeanstalk:UpdateTagsForResource"

],

"Resource": "*"

}

]

}

Policy Read-only

{

"Version": "2012-10-17",

"Statement": [

{

"Sid": "VisualEditor0",

"Effect": "Allow",

"Action": [

"pricing:*",

"ce:DescribeCostCategoryDefinition",

"ce:GetRightsizingRecommendation",

"ce:GetCostAndUsage",

"ce:GetSavingsPlansUtilization",

"ce:GetReservationPurchaseRecommendation",

"ce:ListCostCategoryDefinitions",

"ce:GetCostForecast",

"ce:GetReservationUtilization",

"ce:GetSavingsPlansPurchaseRecommendation",

"ce:GetDimensionValues",

"ce:GetSavingsPlansUtilizationDetails",

"ce:GetCostAndUsageWithResources",

"ce:GetReservationCoverage",

"ce:GetSavingsPlansCoverage",

"ce:GetTags",

"ce:GetUsageForecast",

"cur:DescribeReportDefinitions",

"compute-optimizer:GetEBSVolumeRecommendations",

"compute-optimizer:GetLambdaFunctionRecommendations",

"ebs:ListSnapshotBlocks",

"ebs:ListChangedBlocks",

"bedrock:GetModelInvocationLoggingConfiguration",

"bedrock:ListProvisionedModelThroughputs",

"bedrock:GetProvisionedModelThroughput",

"bedrock:ListModelCustomizationJobs",

"bedrock:GetModelCustomizationJob",

"bedrock:ListCustomModels",

"bedrock:GetCustomModel",

"bedrock:ListKnowledgeBases",

"bedrock:GetKnowledgeBase",

"bedrock:ListAgents",

"bedrock:GetAgent",

"bedrock:ListDataSources",

"bedrock:GetDataSource",

"bedrock:ListAgentAliases",

"bedrock:GetAgentAlias",

"bedrock:ListAgentVersions",

"bedrock:GetAgentVersion",

"bedrock:ListAgentActionGroups",

"bedrock:GetAgentActionGroup",

"bedrock:ListAgentKnowledgeBases",

"bedrock:ListTagsForResource",

"memorydb:DescribeSnapshots",

"memorydb:DescribeSubnetGroups",

"memorydb:DescribeReservedNodes"

],

"Resource": "*"

},

{

"Effect": "Allow",

"Action": [

"s3:GetObject"

],

"Resource": "arn:aws:s3:::%bucket_name%/*"

}

]

}

Step 19

Get back to AWS and select the JSON tab and paste the policy below, instead of
%bucket_name% enter the created S3 bucket name. Then click Next

Step 20

Name your policy and scroll down

Step 21

Click Create policy

Step 22

Navigate to Roles on the sidebar and click Create role


Step 23

Choose the AWS account entity and scroll down after that choose Another AWS account

Step 24

Get back to Uniskai and find your generated Account ID and External ID

Step 25

Paste your Account ID. Check Require external ID, and paste External ID. Then click Next

Step 26

Type the Policy name created on step 14 in the search bar and check it

Step 27

Type ReadOnlyAccess in the search bar and check it. Then click Next

Step 28

Come up with any Role name and scroll down

Step 29

Click Create role

Step 30

Click View role

Step 31

Copy ARN-role


Step 32

Paste ARN-role on Role ARN field in Uniskai. Now you can finally Connect Account

Related Articles
Adding an AWS Account with a CloudFormation Stack
Updating Your AWS Account Role Using a CloudFormation Stack
How to switch AWS account role to Read/write with Cloudfomation stack
Step-by-step connecting Kubernetes Cluster — AWS
How to add CUR to an existing account?
Did this answer your question?