Create custom roles and permissions in sub-accounts
Sometimes when OrganizationAccountAccessRole is missing from AWS sub-accounts, users may need to create sub-account roles manually from their terminal.
On Payer Account
Login to your Payer account from your terminal and run the following command
- Allow the Root account to assume the CloudchiprAccountReadAccessRole role in all subaccounts.
👉 In the command below, please replace <CLOUCHIPR_ROLE_NAME_IN_ROOT_ACCOUNT>with the Cloudchipr Role Name provided by your Cloudchipr account executive.
aws iam put-role-policy \
--role-name <CLOUCHIPR_ROLE_NAME_IN_ROOT_ACCOUNT> \
--policy-name AssumeToCloudchiprRoles \
--policy-document '{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::*:role/CloudchiprAccountReadAccessRole"
}
]
}'
On Each Sub-Account
Login to each of your sub-accounts from your terminal and run the following two commands
- Create the CloudchiprAccountReadAccessRole in a sub-account.
👉 In the command below, please replace <PAYER_ACCOUNT_ID_HERE> with your AWS Payer account ID.
aws iam create-role --role-name CloudchiprAccountReadAccessRole --assume-role-policy-document '{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<PAYER_ACCOUNT_ID_HERE>:root"
},
"Action": "sts:AssumeRole"
}
]
}'
- Attach the read policy to the CloudchiprAccountReadAccessRole role.
aws iam put-role-policy --role-name CloudchiprAccountReadAccessRole --policy-name CloudchiprReadPolicy --policy-document '{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"account:Get*",
"account:List*",
"aoss:BatchGet*",
"aoss:Get*",
"aoss:List*",
"application-autoscaling:Describe*",
"application-cost-profiler:Get*",
"application-cost-profiler:List*",
"applicationinsights:Describe*",
"applicationinsights:List*",
"arc-zonal-shift:Get*",
"arc-zonal-shift:List*",
"athena:BatchGet*",
"athena:Get*",
"athena:List*",
"autoscaling-plans:Describe*",
"autoscaling-plans:Get*",
"autoscaling:Describe*",
"autoscaling:Get*",
"aws-portal:Get*",
"aws-portal:View*",
"billing:Get*",
"billing:List*",
"billingconductor:List*",
"budgets:Describe*",
"budgets:View*",
"ce:Describe*",
"ce:Get*",
"ce:List*",
"cloudformation:BatchDescribe*",
"cloudformation:Describe*",
"cloudformation:Detect*",
"cloudformation:EstimateTemplateCost",
"cloudformation:Get*",
"cloudformation:List*",
"cloudformation:ValidateTemplate",
"cloudfront:Describe*",
"cloudfront:Get*",
"cloudfront:List*",
"cloudsearch:Describe*",
"cloudsearch:List*",
"cloudtrail:Describe*",
"cloudtrail:Get*",
"cloudtrail:List*",
"cloudtrail:Lookup*",
"cloudwatch:Describe*",
"cloudwatch:Get*",
"cloudwatch:List*",
"compute-optimizer:Describe*",
"compute-optimizer:Get*",
"consolidatedbilling:Get*",
"consolidatedbilling:List*",
"cur:Describe*",
"cur:Get*",
"cur:ValidateReportDestination",
"bcm-data-exports:List*",
"bcm-data-exports:Get*",
"ce:Get*",
"ce:Describe*",
"ce:List*",
"ce:StartCostAllocationTagBackfill",
"ce:UpdateCostAllocationTagsStatus",
"dax:BatchGet*",
"dax:ConditionCheckItem",
"dax:Describe*",
"dax:Get*",
"dax:List*",
"docdb-elastic:Get*",
"docdb-elastic:List*",
"drs:Describe*",
"drs:Get*",
"drs:List*",
"dynamodb:BatchGet*",
"dynamodb:ConditionCheck*",
"dynamodb:Describe*",
"dynamodb:Get*",
"dynamodb:List*",
"ebs:Get*",
"ebs:List*",
"ec2:Describe*",
"ec2:Get*",
"ec2:List*",
"ec2:Search*",
"ec2messages:Get*",
"ecr-public:BatchCheckLayerAvailability",
"ecr-public:Describe*",
"ecr-public:Get*",
"ecr-public:List*",
"ecs:Describe*",
"ecs:Get*",
"ecs:List*",
"eks:AccessKubernetesApi",
"eks:Describe*",
"eks:List*",
"elastic-inference:Describe*",
"elastic-inference:List*",
"elasticache:Describe*",
"elasticache:List*",
"elasticloadbalancing:Describe*",
"es:Describe*",
"es:ESCrossClusterGet",
"es:ESHttpGet",
"es:ESHttpHead",
"es:Get*",
"es:List*",
"events:Describe*",
"events:List*",
"events:TestEventPattern",
"evidently:Get*",
"evidently:List*",
"evidently:TestSegmentPattern",
"forecast:Describe*",
"forecast:Get*",
"forecast:InvokeForecastEndpoint",
"forecast:List*",
"freetier:Get*",
"glacier:Describe*",
"glacier:Get*",
"glacier:List*",
"glue:BatchGet*",
"glue:CheckSchemaVersionValidity",
"glue:Get*",
"glue:List*",
"grafana:Describe*",
"grafana:List*",
"iam:ListAccountAliases",
"imagebuilder:Get*",
"imagebuilder:List*",
"kafka-cluster:Describe*",
"kafka:Describe*",
"kafka:Get*",
"kafka:List*",
"kafkaconnect:Describe*",
"kafkaconnect:List*",
"kinesis:Describe*",
"kinesis:Get*",
"kinesis:List*",
"kinesisanalytics:Describe*",
"kinesisanalytics:DiscoverInputSchema",
"kinesisanalytics:Get*",
"kinesisanalytics:List*",
"kinesisvideo:Describe*",
"kinesisvideo:Get*",
"kinesisvideo:List*",
"kms:Describe*",
"kms:List*",
"lakeformation:Describe*",
"lakeformation:Get*",
"lakeformation:List*",
"lambda:Get*",
"lambda:List*",
"logs:Describe*",
"logs:FilterLogEvents",
"logs:Get*",
"logs:List*",
"logs:TestMetricFilter",
"logs:Unmask",
"machinelearning:Describe*",
"machinelearning:Get*",
"memorydb:Describe*",
"memorydb:List*",
"notifications:Get*",
"notifications:List*",
"organizations:Describe*",
"organizations:List*",
"osis:Get*",
"osis:List*",
"osis:ValidatePipeline",
"pipes:Describe*",
"pipes:List*",
"pricing:Describe*",
"pricing:Get*",
"pricing:List*",
"qldb:Describe*",
"qldb:Get*",
"qldb:List*",
"quicksight:Describe*",
"quicksight:Get*",
"quicksight:List*",
"rds:Describe*",
"rds:List*",
"redshift-data:Describe*",
"redshift-data:Get*",
"redshift-data:List*",
"redshift-serverless:Get*",
"redshift-serverless:List*",
"resource-explorer-2:BatchGet*",
"resource-explorer-2:Get*",
"resource-explorer-2:List*",
"resource-explorer:List*",
"resource-groups:Get*",
"resource-groups:List*",
"route53-recovery-cluster:Get*",
"route53-recovery-cluster:List*",
"route53-recovery-control-config:Describe*",
"route53-recovery-control-config:List*",
"route53-recovery-readiness:Get*",
"route53-recovery-readiness:List*",
"route53:Get*",
"route53:List*",
"route53:TestDNSAnswer",
"route53domains:CheckDomainAvailability",
"route53domains:CheckDomainTransferability",
"route53domains:Get*",
"route53domains:List*",
"route53domains:View*",
"route53resolver:Get*",
"route53resolver:List*",
"rum:BatchGet*",
"rum:Get*",
"rum:List*",
"s3-object-lambda:Get*",
"s3-object-lambda:List*",
"s3-outposts:Get*",
"s3-outposts:List*",
"s3:Describe*",
"s3:Get*",
"s3:List*",
"sagemaker-geospatial:Get*",
"sagemaker-geospatial:List*",
"sagemaker-groundtruth-synthetic:Get*",
"sagemaker-groundtruth-synthetic:List*",
"sagemaker:BatchDescribe*",
"sagemaker:BatchGet*",
"sagemaker:Describe*",
"sagemaker:Get*",
"sagemaker:InvokeEndpoint",
"sagemaker:InvokeEndpointAsync",
"sagemaker:List*",
"sagemaker:RenderUiTemplate",
"savingsplans:Describe*",
"savingsplans:List*",
"scheduler:Get*",
"scheduler:List*",
"schemas:Describe*",
"schemas:Get*",
"schemas:List*",
"sdb:DomainMetadata",
"sdb:Get*",
"sdb:List*",
"servicecatalog:Describe*",
"servicecatalog:Get*",
"servicecatalog:List*",
"servicequotas:Get*",
"servicequotas:List*",
"ses:BatchGetMetricData",
"ses:Describe*",
"ses:Get*",
"ses:List*",
"snowball:Describe*",
"snowball:Get*",
"snowball:List*",
"sns:Get*",
"sns:List*",
"sqlworkbench:BatchGet*",
"sqlworkbench:Get*",
"sqlworkbench:List*",
"sqs:Get*",
"sqs:List*",
"storagegateway:Describe*",
"storagegateway:List*",
"synthetics:Describe*",
"synthetics:Get*",
"synthetics:List*",
"tag:Describe*",
"tag:Get*",
"timestream:Describe*",
"timestream:Get*",
"timestream:List*",
"transfer:Describe*",
"transfer:List*",
"transfer:TestIdentityProvider",
"trustedadvisor:Describe*",
"trustedadvisor:Get*",
"trustedadvisor:List*",
"wellarchitected:Get*",
"wellarchitected:List*",
"backup:List*"
],
"Resource": "*"
}
]
}'
Updated about 1 month ago