Skip to main content
All CollectionsAdding an account to UniskaiAdd AWS Account
Adding an AWS Read/Write account with a Manual Connection
Adding an AWS Read/Write account with a Manual Connection

Learn how to add an AWS read write account with a manual connection

Updated this week

Step 1

Skip to Step 4 if you came to this guide from the Cross-account role connection page.

Navigate to the ‘Account manager’ tab.

Your Account Manager menu will look like the picture below if you don't have any accounts. Click the ‘Add environment’ button.

Your Account Manager menu will display differently if you already have some accounts. Click the ‘Add environment’ button.

Choose AWS cloud service.

Step 2

Select ‘Cross Account Role.’

Step 3

You will be directed to the ‘Cross-account role connection’ page.

Step 4

In the first field, enter an Account name. You can use a specific name (up to 32 characters) or leave it as the default ‘AWS.’

Step 5

Choose the Access type (The selected type will be marked with a white dot on a blue background):

  • Read/write: This allows you to use all functions, such as converting to spot, scheduling resources, removing unused resources, and rightsizing your resources.

  • Read-only: This only lets you view your resources and possible actions, without the ability to use the main functionality.

In this case, we select the Read/Write access type

Step 6

Select the Connection type (The selected type will be marked with a white dot on a blue background):

  • CloudFormation stack: The ARN role is automatically created by the CloudFormation stack.

  • Manual: You'll manually create a role using the External ID and Account ID.

In this case, we select the Manual connection type

Do not refresh this page during account connection! It will change the External ID!

Step 7

Login to AWS Console.


Step 8

In the search field type Cost and Usage Reports and click.

Step 9

After the page is loaded, click on the button Create report.

Step 10

Name your report, check to Include resource IDs and Refresh automatically boxes. Then click Next.

You can enter any name but with our prefix. Example: "psl-cur-{new-report}".

The part in {bold} can be changed

Step 11

Click Configure.


Step 12

Name S3 as psl-cur-%AWS-account-id% (paste your account ID instead of %AWS-account-id%), and select the region where you want to save the S3 bucket.

Step 13

Check the box The following default policy will be applied to your bucket and click Save.

Step 14

Name the S3 path prefix as psl-cur, and check the Overwrite existing report Radio button. Then check the Amazon Athena box and click Next.

Step 15

Scroll to the bottom of the page and click Create Report.

Step 16

Go back to Uniskai and click on the Open AWS CONSOLE button.

Step 17

Navigate to Policies on the sidebar and click Create policy.


Policy Read-Write

{

"Version": "2012-10-17",

"Statement": [

{

"Sid": "VisualEditor0",

"Effect": "Allow",

"Action": [

"application-autoscaling:RegisterScalableTarget",

"autoscaling:CreateLaunchConfiguration",

"autoscaling:DeleteLaunchConfiguration",

"autoscaling:DescribeAutoScalingGroups",

"autoscaling:UpdateAutoScalingGroup",

"bedrock:GetAgent",

"bedrock:GetAgentActionGroup",

"bedrock:GetAgentAlias",

"bedrock:GetAgentVersion",

"bedrock:GetCustomModel",

"bedrock:GetDataSource",

"bedrock:GetKnowledgeBase",

"bedrock:GetModelCustomizationJob",

"bedrock:GetModelInvocationLoggingConfiguration",

"bedrock:GetProvisionedModelThroughput",

"bedrock:ListAgentActionGroups",

"bedrock:ListAgentAliases",

"bedrock:ListAgentKnowledgeBases",

"bedrock:ListAgentVersions",

"bedrock:ListAgents",

"bedrock:ListCustomModels",

"bedrock:ListDataSources",

"bedrock:ListKnowledgeBases",

"bedrock:ListModelCustomizationJobs",

"bedrock:ListProvisionedModelThroughputs",

"bedrock:ListTagsForResource",

"ce:DescribeCostCategoryDefinition",

"ce:GetCostAndUsage",

"ce:GetCostAndUsageWithResources",

"ce:GetCostForecast",

"ce:GetDimensionValues",

"ce:GetReservationCoverage",

"ce:GetReservationPurchaseRecommendation",

"ce:GetReservationUtilization",

"ce:GetRightsizingRecommendation",

"ce:GetSavingsPlansCoverage",

"ce:GetSavingsPlansPurchaseRecommendation",

"ce:GetSavingsPlansUtilization",

"ce:GetSavingsPlansUtilizationDetails",

"ce:GetTags",

"ce:GetUsageForecast",

"ce:ListCostCategoryDefinitions",

"cloudformation:UpdateStack",

"compute-optimizer:GetEBSVolumeRecommendations",

"compute-optimizer:GetEnrollmentStatus",

"compute-optimizer:GetLambdaFunctionRecommendations",

"compute-optimizer:UpdateEnrollmentStatus",

"cur:DescribeReportDefinitions",

"ebs:ListChangedBlocks",

"ebs:ListSnapshotBlocks",

"ec2:AttachVolume",

"ec2:CancelSpotInstanceRequests",

"ec2:CreateImage",

"ec2:CreateLaunchTemplate",

"ec2:CreateRoute",

"ec2:CreateSnapshot",

"ec2:CreateSnapshots",

"ec2:CreateTags",

"ec2:CreateVolume",

"ec2:DeleteSnapshot",

"ec2:DeleteVolume",

"ec2:DeregisterImage",

"ec2:DescribeImages",

"ec2:DescribeInstances",

"ec2:DescribeLaunchTemplateVersions",

"ec2:DescribeLaunchTemplates",

"ec2:DescribeRouteTables",

"ec2:DescribeSnapshots",

"ec2:DescribeSpotInstanceRequests",

"ec2:DescribeSpotPriceHistory",

"ec2:DescribeVolumes",

"ec2:DetachVolume",

"ec2:GetLaunchTemplateData",

"ec2:ModifyInstanceAttribute",

"ec2:ModifyNetworkInterfaceAttribute",

"ec2:ModifyVolume",

"ec2:PurchaseReservedInstancesOffering",

"ec2:ReleaseAddress",

"ec2:RequestSpotInstances",

"ec2:RunInstances",

"ec2:StartInstances",

"ec2:StopInstances",

"ec2:TerminateInstances",

"ecs:DeleteService",

"ecs:RegisterTaskDefinition",

"ecs:UpdateContainerInstancesState",

"ecs:UpdateService",

"eks:CreateNodegroup",

"eks:DeleteNodegroup",

"eks:DescribeNodegroup",

"eks:ListClusters",

"eks:UpdateNodegroupConfig",

"elasticache:PurchaseReservedCacheNodesOffering",

"elasticloadbalancing:DeregisterTargets",

"elasticloadbalancing:DescribeInstanceHealth",

"elasticloadbalancing:DescribeLoadBalancers",

"elasticloadbalancing:DescribeTargetGroups",

"elasticloadbalancing:DescribeTargetHealth",

"elasticloadbalancing:ModifyTargetGroup",

"elasticloadbalancing:RegisterInstancesWithLoadBalancer",

"elasticloadbalancing:RegisterTargets",

"es:PurchaseReservedElasticsearchInstanceOffering",

"es:PurchaseReservedInstanceOffering",

"iam:CreateServiceLinkedRole",

"iam:PassRole",

"iam:PutRolePolicy",

"kms:CreateGrant",

"kms:Decrypt",

"kms:Encrypt",

"kms:GenerateDataKey*",

"kms:ReEncrypt*",

"lambda:DeleteFunction",

"lambda:DeleteProvisionedConcurrencyConfig",

"lambda:GetFunction",

"lambda:GetPolicy",

"lambda:GetProvisionedConcurrencyConfig",

"lambda:ListTags",

"lambda:PublishVersion",

"lambda:PutProvisionedConcurrencyConfig",

"lambda:UpdateAlias",

"lambda:UpdateFunctionCode",

"lambda:UpdateFunctionConfiguration",

"logs:DeleteLogGroup",

"memorydb:DescribeReservedNodes",

"memorydb:DescribeReservedNodesOfferings",

"memorydb:DescribeSnapshots",

"memorydb:DescribeSubnetGroups",

"memorydb:PurchaseReservedNodesOffering",

"pricing:*",

"rds:DeleteDBInstance",

"rds:DescribeDBInstances",

"rds:PurchaseReservedDBInstancesOffering",

"rds:StartDBCluster",

"rds:StartDBInstance",

"rds:StopDBCluster",

"rds:StopDBInstance",

"rds:ModifyDBInstance",

"redshift:DescribeClusters",

"redshift:PauseCluster",

"redshift:PurchaseReservedNodeOffering",

"redshift:ResumeCluster",

"sagemaker:StartNotebookInstance",

"sagemaker:StopNotebookInstance",

"savingsplans:CreateSavingsPlan",

"elasticache:ModifyReplicationGroup",

"es:UpdateDomainConfig"

],

"Resource": "*"

},

{

"Effect": "Allow",

"Action": [

"s3:GetObject"

],

"Resource": "arn:aws:s3:::%bucket_name%/*"

}

]

}

Policy Tagging

{

"Version": "2012-10-17",

"Statement": [

{

"Sid": "VisualEditor0",

"Effect": "Allow",

"Action": [

"acm:AddTagsToCertificate",

"acm:RemoveTagsFromCertificate",

"apigateway:DELETE",

"apigateway:POST",

"appmesh:TagResource",

"appmesh:UntagResource",

"autoscaling:CreateOrUpdateTags",

"autoscaling:DeleteTags",

"cloudfront:TagResource",

"cloudfront:UntagResource",

"cloudwatch:TagResource",

"cloudwatch:UntagResource",

"cognito-identity:TagResource",

"cognito-identity:UntagResource",

"ec2:CreateTags",

"ec2:DeleteTags",

"ecr:TagResource",

"ecr:UntagResource",

"ecs:TagResource",

"ecs:UntagResource",

"eks:TagResource",

"eks:UntagResource",

"elasticache:AddTagsToResource",

"elasticache:RemoveTagsFromResource",

"elasticbeanstalk:AddTags",

"elasticbeanstalk:RemoveTags",

"elasticfilesystem:CreateTags",

"elasticfilesystem:DeleteTags",

"elasticfilesystem:TagResource",

"elasticfilesystem:UntagResource",

"elasticloadbalancing:AddTags",

"elasticloadbalancing:RemoveTags",

"es:AddTags",

"es:RemoveTags",

"fsx:TagResource",

"fsx:UntagResource",

"iam:TagRole",

"iam:TagUser",

"iam:UntagRole",

"iam:UntagUser",

"kinesis:AddTagsToStream",

"kinesis:RemoveTagsFromStream",

"kms:TagResource",

"kms:UntagResource",

"lambda:TagResource",

"lambda:UntagResource",

"rds:AddTagsToResource",

"rds:RemoveTagsFromResource",

"redshift:CreateTags",

"redshift:DeleteTags",

"route53:ChangeTagsForResource",

"route53domains:DeleteTagsForDomain",

"route53domains:UpdateTagsForDomain",

"s3:DeleteJobTagging",

"s3:DeleteObjectTagging",

"s3:DeleteObjectVersionTagging",

"s3:PutBucketTagging",

"s3:PutJobTagging",

"s3:PutObjectTagging",

"s3:PutObjectVersionTagging",

"s3:ReplicateTags",

"tag:TagResources",

"tag:UntagResources",

"ec2:DeleteVolume",

"ec2:DeregisterImage",

"logs:TagResource",

"logs:UntagResource",

"backup:TagResource",

"backup:UntagResource",

"cassandra:Alter",

"cassandra:AlterMultiRegionResource",

"cassandra:TagResource",

"cassandra:TagMultiRegionResource",

"cassandra:UnTagMultiRegionResource",

"cassandra:UntagResource",

"codecommit:TagResource",

"codecommit:UntagResource",

"cloudtrail:AddTags",

"cloudtrail:RemoveTags",

"dynamodb:TagResource",

"dynamodb:UntagResource",

"events:TagResource",

"events:UntagResource",

"glacier:AddTagsToVault",

"glacier:RemoveTagsFromVault",

"glue:TagResource",

"glue:UntagResource",

"kafka:TagResource",

"kafka:UntagResource",

"timestream:TagResource",

"timestream:UntagResource",

"sagemaker:AddTags",

"sagemaker:DeleteTags",

"mq:CreateTags",

"mq:DeleteTags",

"secretsmanager:TagResource",

"secretsmanager:UntagResource",

"ses:TagResource",

"ses:UntagResource",

"states:TagResource",

"states:UntagResource",

"sns:TagResource",

"sns:UntagResource",

"sqs:TagQueue",

"sqs:UntagQueue",

"appflow:TagResource",

"appflow:UntagResource",

"wafv2:TagResource",

"wafv2:UntagResource",

"elasticmapreduce:AddTags",

"elasticmapreduce:RemoveTags",

"emr-containers:TagResource",

"emr-containers:UntagResource",

"emr-serverless:TagResource",

"emr-serverless:UntagResource",

"bedrock:TagResource",

"bedrock:UntagResource",

"memorydb:TagResource",

"memorydb:UntagResource",

"elasticbeanstalk:UpdateTagsForResource"

],

"Resource": "*"

}

]

}

Step 18

Get back to AWS select the JSON tab and paste the policy below, instead of
%bucket_name% enter the created S3 bucket name. Then click Next.

Step 19

Name your policy and scroll down.

Step 20

Click Create policy.

Step 21

Navigate to Roles on the sidebar and click Create role.


Step 22

Choose the AWS account entity and scroll down after that choose Another AWS account.

Step 23

Get back to Uniskai and find your generated Account ID and External ID.

Step 24

Paste your Account ID. Check Require external ID, and paste the External ID. Then click Next.

Step 25

Type the Policy name created on step 14 in the search bar and check it.

Step 26

Type ReadOnlyAccess in the search bar and check it. Then click Next.

Step 27

Come up with any Role name and scroll down.

Step 28

Click Create role.

Step 29

Click View role.

Step 30

Copy ARN-role .


Step 31

Paste ARN-role on Role ARN field in Uniskai. Now you can finally press the Connect Account.

Did this answer your question?