Create custom roles and permissions in sub-accounts

Sometimes when OrganizationAccountAccessRole is missing from AWS sub-accounts, users may need to create sub-account roles manually from their terminal.

On Payer Account

Login to your Payer account from your terminal and run the following command

  1. Allow the Root account to assume the CloudchiprAccountReadAccessRole role in all subaccounts.

👉 In the command below, please replace <CLOUCHIPR_ROLE_NAME_IN_ROOT_ACCOUNT>with the Cloudchipr Role Name provided by your Cloudchipr account executive.

aws iam put-role-policy \
  --role-name <CLOUCHIPR_ROLE_NAME_IN_ROOT_ACCOUNT> \
  --policy-name AssumeToCloudchiprRoles \
  --policy-document '{
    "Version": "2012-10-17",
    "Statement": [
      {
        "Effect": "Allow",
        "Action": "sts:AssumeRole",
        "Resource": "arn:aws:iam::*:role/CloudchiprAccountReadAccessRole"
      }
    ]
  }'

On Each Sub-Account

Login to each of your sub-accounts from your terminal and run the following two commands

  1. Create the CloudchiprAccountReadAccessRole in a sub-account.

👉 In the command below, please replace <PAYER_ACCOUNT_ID_HERE> with your AWS Payer account ID.

aws iam create-role --role-name CloudchiprAccountReadAccessRole --assume-role-policy-document '{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::<PAYER_ACCOUNT_ID_HERE>:root"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}'
  1. Attach the read policy to the CloudchiprAccountReadAccessRole role.
aws iam put-role-policy --role-name CloudchiprAccountReadAccessRole --policy-name CloudchiprReadPolicy --policy-document '{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "account:Get*",
                "account:List*",
                "aoss:BatchGet*",
                "aoss:Get*",
                "aoss:List*",
                "application-autoscaling:Describe*",
                "application-cost-profiler:Get*",
                "application-cost-profiler:List*",
                "applicationinsights:Describe*",
                "applicationinsights:List*",
                "arc-zonal-shift:Get*",
                "arc-zonal-shift:List*",
                "athena:BatchGet*",
                "athena:Get*",
                "athena:List*",
                "autoscaling-plans:Describe*",
                "autoscaling-plans:Get*",
                "autoscaling:Describe*",
                "autoscaling:Get*",
                "aws-portal:Get*",
                "aws-portal:View*",
                "billing:Get*",
                "billing:List*",
                "billingconductor:List*",
                "budgets:Describe*",
                "budgets:View*",
                "ce:Describe*",
                "ce:Get*",
                "ce:List*",
                "cloudformation:BatchDescribe*",
                "cloudformation:Describe*",
                "cloudformation:Detect*",
                "cloudformation:EstimateTemplateCost",
                "cloudformation:Get*",
                "cloudformation:List*",
                "cloudformation:ValidateTemplate",
                "cloudfront:Describe*",
                "cloudfront:Get*",
                "cloudfront:List*",
                "cloudsearch:Describe*",
                "cloudsearch:List*",
                "cloudtrail:Describe*",
                "cloudtrail:Get*",
                "cloudtrail:List*",
                "cloudtrail:Lookup*",
                "cloudwatch:Describe*",
                "cloudwatch:Get*",
                "cloudwatch:List*",
                "compute-optimizer:Describe*",
                "compute-optimizer:Get*",
                "consolidatedbilling:Get*",
                "consolidatedbilling:List*",
                "cur:Describe*",
                "cur:Get*",
                "cur:ValidateReportDestination",
                "bcm-data-exports:List*",
                "bcm-data-exports:Get*",
                "ce:Get*",
                "ce:Describe*",
                "ce:List*",
                "ce:StartCostAllocationTagBackfill",
                "ce:UpdateCostAllocationTagsStatus",
                "dax:BatchGet*",
                "dax:ConditionCheckItem",
                "dax:Describe*",
                "dax:Get*",
                "dax:List*",
                "docdb-elastic:Get*",
                "docdb-elastic:List*",
                "drs:Describe*",
                "drs:Get*",
                "drs:List*",
                "dynamodb:BatchGet*",
                "dynamodb:ConditionCheck*",
                "dynamodb:Describe*",
                "dynamodb:Get*",
                "dynamodb:List*",
                "ebs:Get*",
                "ebs:List*",
                "ec2:Describe*",
                "ec2:Get*",
                "ec2:List*",
                "ec2:Search*",
                "ec2messages:Get*",
                "ecr-public:BatchCheckLayerAvailability",
                "ecr-public:Describe*",
                "ecr-public:Get*",
                "ecr-public:List*",
                "ecs:Describe*",
                "ecs:Get*",
                "ecs:List*",
                "eks:AccessKubernetesApi",
                "eks:Describe*",
                "eks:List*",
                "elastic-inference:Describe*",
                "elastic-inference:List*",
                "elasticache:Describe*",
                "elasticache:List*",
                "elasticloadbalancing:Describe*",
                "es:Describe*",
                "es:ESCrossClusterGet",
                "es:ESHttpGet",
                "es:ESHttpHead",
                "es:Get*",
                "es:List*",
                "events:Describe*",
                "events:List*",
                "events:TestEventPattern",
                "evidently:Get*",
                "evidently:List*",
                "evidently:TestSegmentPattern",
                "forecast:Describe*",
                "forecast:Get*",
                "forecast:InvokeForecastEndpoint",
                "forecast:List*",
                "freetier:Get*",
                "glacier:Describe*",
                "glacier:Get*",
                "glacier:List*",
                "glue:BatchGet*",
                "glue:CheckSchemaVersionValidity",
                "glue:Get*",
                "glue:List*",
                "grafana:Describe*",
                "grafana:List*",
                "iam:ListAccountAliases",
                "imagebuilder:Get*",
                "imagebuilder:List*",
                "kafka-cluster:Describe*",
                "kafka:Describe*",
                "kafka:Get*",
                "kafka:List*",
                "kafkaconnect:Describe*",
                "kafkaconnect:List*",
                "kinesis:Describe*",
                "kinesis:Get*",
                "kinesis:List*",
                "kinesisanalytics:Describe*",
                "kinesisanalytics:DiscoverInputSchema",
                "kinesisanalytics:Get*",
                "kinesisanalytics:List*",
                "kinesisvideo:Describe*",
                "kinesisvideo:Get*",
                "kinesisvideo:List*",
                "kms:Describe*",
                "kms:List*",
                "lakeformation:Describe*",
                "lakeformation:Get*",
                "lakeformation:List*",
                "lambda:Get*",
                "lambda:List*",
                "logs:Describe*",
                "logs:FilterLogEvents",
                "logs:Get*",
                "logs:List*",
                "logs:TestMetricFilter",
                "logs:Unmask",
                "machinelearning:Describe*",
                "machinelearning:Get*",
                "memorydb:Describe*",
                "memorydb:List*",
                "notifications:Get*",
                "notifications:List*",
                "organizations:Describe*",
                "organizations:List*",
                "osis:Get*",
                "osis:List*",
                "osis:ValidatePipeline",
                "pipes:Describe*",
                "pipes:List*",
                "pricing:Describe*",
                "pricing:Get*",
                "pricing:List*",
                "qldb:Describe*",
                "qldb:Get*",
                "qldb:List*",
                "quicksight:Describe*",
                "quicksight:Get*",
                "quicksight:List*",
                "rds:Describe*",
                "rds:List*",
                "redshift-data:Describe*",
                "redshift-data:Get*",
                "redshift-data:List*",
                "redshift-serverless:Get*",
                "redshift-serverless:List*",
                "resource-explorer-2:BatchGet*",
                "resource-explorer-2:Get*",
                "resource-explorer-2:List*",
                "resource-explorer:List*",
                "resource-groups:Get*",
                "resource-groups:List*",
                "route53-recovery-cluster:Get*",
                "route53-recovery-cluster:List*",
                "route53-recovery-control-config:Describe*",
                "route53-recovery-control-config:List*",
                "route53-recovery-readiness:Get*",
                "route53-recovery-readiness:List*",
                "route53:Get*",
                "route53:List*",
                "route53:TestDNSAnswer",
                "route53domains:CheckDomainAvailability",
                "route53domains:CheckDomainTransferability",
                "route53domains:Get*",
                "route53domains:List*",
                "route53domains:View*",
                "route53resolver:Get*",
                "route53resolver:List*",
                "rum:BatchGet*",
                "rum:Get*",
                "rum:List*",
                "s3-object-lambda:Get*",
                "s3-object-lambda:List*",
                "s3-outposts:Get*",
                "s3-outposts:List*",
                "s3:Describe*",
                "s3:Get*",
                "s3:List*",
                "sagemaker-geospatial:Get*",
                "sagemaker-geospatial:List*",
                "sagemaker-groundtruth-synthetic:Get*",
                "sagemaker-groundtruth-synthetic:List*",
                "sagemaker:BatchDescribe*",
                "sagemaker:BatchGet*",
                "sagemaker:Describe*",
                "sagemaker:Get*",
                "sagemaker:InvokeEndpoint",
                "sagemaker:InvokeEndpointAsync",
                "sagemaker:List*",
                "sagemaker:RenderUiTemplate",
                "savingsplans:Describe*",
                "savingsplans:List*",
                "scheduler:Get*",
                "scheduler:List*",
                "schemas:Describe*",
                "schemas:Get*",
                "schemas:List*",
                "sdb:DomainMetadata",
                "sdb:Get*",
                "sdb:List*",
                "servicecatalog:Describe*",
                "servicecatalog:Get*",
                "servicecatalog:List*",
                "servicequotas:Get*",
                "servicequotas:List*",
                "ses:BatchGetMetricData",
                "ses:Describe*",
                "ses:Get*",
                "ses:List*",
                "snowball:Describe*",
                "snowball:Get*",
                "snowball:List*",
                "sns:Get*",
                "sns:List*",
                "sqlworkbench:BatchGet*",
                "sqlworkbench:Get*",
                "sqlworkbench:List*",
                "sqs:Get*",
                "sqs:List*",
                "storagegateway:Describe*",
                "storagegateway:List*",
                "synthetics:Describe*",
                "synthetics:Get*",
                "synthetics:List*",
                "tag:Describe*",
                "tag:Get*",
                "timestream:Describe*",
                "timestream:Get*",
                "timestream:List*",
                "transfer:Describe*",
                "transfer:List*",
                "transfer:TestIdentityProvider",
                "trustedadvisor:Describe*",
                "trustedadvisor:Get*",
                "trustedadvisor:List*",
                "wellarchitected:Get*",
                "wellarchitected:List*",
                "backup:List*"
            ],
            "Resource": "*"
    }
  ]
}'