Cross Account Role

Setting up and Connecting Your AWS Account

Connecting your AWS account is quick and should take about 10 minutes if you have the required permissions. While we strive to keep our documentation current, AWS may occasionally update their process or UI. If you notice any discrepancies, please contact us at support[at]hava.io.

Prefer a video walkthrough? You can watch it here.

How to create a Cross Account Role

From the Hava Environments screen - select "Add Environments" :

Create you IAM policy

Log in to your AWS Console

In a separate browser tab - log in to your AWS Console.

Navigate to IAM > Policies to create a new policy that your Hava Cross-Account role can use
Click "Create Policy"
Select the JSON tab

Paste the following JSON code (click > to expand)

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "acm:DescribeCertificate",
        "acm:GetCertificate",
        "acm:ListCertificates",
        "apigateway:GET",
        "appstream:Get*",
        "appsync:GetApiCache",
        "appsync:ListApiKeys",
        "appsync:ListDataSources",
        "appsync:ListDomainNames",
        "appsync:ListFunctions",
        "appsync:ListGraphqlApis",
        "appsync:ListResolvers",
        "appsync:ListSourceApiAssociations",
        "appsync:ListTagsForResource",
        "appsync:ListTypes",
        "autoscaling:Describe*",
        "cloudformation:List*",
        "cloudfront:Get*",
        "cloudfront:List*",
        "cloudsearch:Describe*",
        "cloudsearch:List*",
        "cloudtrail:DescribeTrails",
        "cloudtrail:GetTrailStatus",
        "cloudwatch:Describe*",
        "cloudwatch:Get*",
        "cloudwatch:List*",
        "codecommit:BatchGetRepositories",
        "codecommit:Get*",
        "codecommit:GitPull",
        "codecommit:List*",
        "codedeploy:Batch*",
        "codedeploy:Get*",
        "codedeploy:List*",
        "config:Deliver*",
        "config:Describe*",
        "config:Get*",
        "datapipeline:DescribeObjects",
        "datapipeline:DescribePipelines",
        "datapipeline:EvaluateExpression",
        "datapipeline:GetPipelineDefinition",
        "datapipeline:ListPipelines",
        "datapipeline:QueryObjects",
        "datapipeline:ValidatePipelineDefinition",
        "directconnect:Describe*",
        "ds:Check*",
        "ds:Describe*",
        "ds:Get*",
        "ds:List*",
        "ds:Verify*",
        "dynamodb:DescribeGlobalTable",
        "dynamodb:DescribeTable",
        "dynamodb:ListGlobalTables",
        "dynamodb:ListTables",
        "dynamodb:ListTagsOfResource",
        "ec2:Describe*",
        "ec2:GetConsoleOutput",
        "ecr:BatchCheckLayerAvailability",
        "ecr:BatchGetImage",
        "ecr:DescribeRepositories",
        "ecr:GetDownloadUrlForLayer",
        "ecr:ListImages",
        "ecs:Describe*",
        "ecs:List*",
        "eks:Describe*",
        "eks:List*",
        "elasticache:Describe*",
        "elasticache:List*",
        "elasticbeanstalk:Check*",
        "elasticbeanstalk:Describe*",
        "elasticbeanstalk:List*",
        "elasticbeanstalk:RequestEnvironmentInfo",
        "elasticbeanstalk:RetrieveEnvironmentInfo",
        "elasticfilesystem:DescribeFileSystems",
        "elasticfilesystem:DescribeMountTargetSecurityGroups",
        "elasticfilesystem:DescribeMountTargets",
        "elasticfilesystem:DescribeTags",
        "elasticloadbalancing:Describe*",
        "elasticmapreduce:Describe*",
        "elasticmapreduce:List*",
        "elastictranscoder:List*",
        "elastictranscoder:Read*",
        "es:DescribeDomain",
        "es:DescribeDomainNodes",
        "es:DescribeDomains",
        "es:DescribeElasticsearchDomain",
        "es:DescribeElasticsearchDomainConfig",
        "es:DescribeElasticsearchDomains",
        "es:DescribeReservedElasticsearchInstances",
        "es:DescribeVpcEndpoints",
        "es:ESHttpGet",
        "es:ESHttpHead",
        "es:ListDomainNames",
        "es:ListTags",
        "es:ListVpcEndpointAccess",
        "es:ListVpcEndpoints",
        "es:ListVpcEndpointsForDomain",
        "events:DescribeApiDestination",
        "events:DescribeArchive",
        "events:DescribeConnection",
        "events:DescribeEndpoint",
        "events:DescribeEventBus",
        "events:DescribeEventSource",
        "events:DescribePartnerEventSource",
        "events:DescribeReplay",
        "events:DescribeRule",
        "events:ListApiDestinations",
        "events:ListArchives",
        "events:ListConnections",
        "events:ListEndpoints",
        "events:ListEventBuses",
        "events:ListEventSources",
        "events:ListPartnerEventSourceAccounts",
        "events:ListPartnerEventSources",
        "events:ListReplays",
        "events:ListRuleNamesByTarget",
        "events:ListRules",
        "events:ListTagsForResource",
        "events:ListTargetsByRule",
        "events:TestEventPattern",
        "firehose:DescribeDeliveryStream",
        "firehose:ListDeliveryStreams",
        "firehose:ListTagsForDeliveryStream",
        "glacier:DescribeJob",
        "glacier:DescribeVault",
        "glacier:GetDataRetrievalPolicy",
        "glacier:GetJobOutput",
        "glacier:GetVaultAccessPolicy",
        "glacier:GetVaultLock",
        "glacier:GetVaultNotifications",
        "glacier:ListJobs",
        "glacier:ListMultipartUploads",
        "glacier:ListParts",
        "glacier:ListTagsForVault",
        "glacier:ListVaults",
        "iam:GenerateCredentialReport",
        "iam:Get*",
        "iam:List*",
        "inspector:Describe*",
        "inspector:Get*",
        "inspector:List*",
        "iot:Describe*",
        "iot:Get*",
        "iot:List*",
        "kafka:DescribeCluster",
        "kafka:DescribeClusterV2",
        "kafka:DescribeVpcConnection",
        "kafka:ListClientVpcConnections",
        "kafka:ListClusters",
        "kafka:ListClustersV2",
        "kafka:ListNodes",
        "kafka:ListTagsForResource",
        "kafka:ListVpcConnections",
        "kinesis:Describe*",
        "kinesis:DescribeStream",
        "kinesis:DescribeStreamConsumer",
        "kinesis:DescribeStreamSummary",
        "kinesis:ListShards",
        "kinesis:ListStreamConsumers",
        "kinesis:ListStreams",
        "kinesis:ListTagsForStream",
        "kms:Describe*",
        "kms:Get*",
        "kms:List*",
        "lambda:Get*",
        "lambda:List*",
        "logs:Describe*",
        "logs:Get*",
        "logs:TestMetricFilter",
        "machinelearning:Describe*",
        "machinelearning:Get*",
        "opsworks:Describe*",
        "opsworks:Get*",
        "organizations:ListAccounts",
        "rds:Describe*",
        "rds:ListTagsForResource",
        "redshift:Describe*",
        "redshift:ViewQueriesInConsole",
        "route53:Get*",
        "route53:List*",
        "route53domains:CheckDomainAvailability",
        "route53domains:GetDomainDetail",
        "route53domains:GetOperationDetail",
        "route53domains:ListDomains",
        "route53domains:ListOperations",
        "route53domains:ListTagsForDomain",
        "s3:GetAccelerateConfiguration",
        "s3:GetAnalyticsConfiguration",
        "s3:GetBucket*",
        "s3:GetInventoryConfiguration",
        "s3:GetLifecycleConfiguration",
        "s3:GetMetricsConfiguration",
        "s3:GetReplicationConfiguration",
        "s3:List*",
        "sdb:GetAttributes",
        "sdb:List*",
        "sdb:Select*",
        "ses:Get*",
        "ses:List*",
        "sns:Get*",
        "sns:List*",
        "sqs:GetQueueAttributes",
        "sqs:ListQueues",
        "sqs:ReceiveMessage",
        "storagegateway:Describe*",
        "storagegateway:List*",
        "swf:Count*",
        "swf:Describe*",
        "swf:Get*",
        "swf:List*",
        "tag:Get*",
        "trustedadvisor:Describe*",
        "waf-regional:Get*",
        "waf-regional:List*",
        "waf:Get*",
        "waf:List*",
        "wafv2:GetWebACL",
        "wafv2:ListResourcesForWebACL",
        "wafv2:ListTagsForResource",
        "wafv2:ListWebACLs",
        "workspaces:Describe*"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}

Note : The resources Hava requests access to allow for the most detailed diagrams of your AWS environment. You can remove any permissions you’re not comfortable with, but this may reduce the accuracy of the analysis, both now and as new features and resources are released.

Then click "Review Policy" & "Name" the new policy.

Click "Create Policy" and the new policy will be created.

Setup cross account role

After setting up your IAM user in AWS, the next step is to configure your cross-account role.

Return to Hava and select the Amazon Data Source.
Ensure the "Cross Account Role" tab is selected.
Click the "Auto Config" button. This will open the Create Role dialog in your AWS Console with the fields pre-filled.

It’s important to verify the following:

Ensure the "Account ID" and "External ID" match the dialogue window in Hava.
Ensure "Require MFA" remains unchecked

Click on Select trusted entity > AWS account

3rd party to perform actions in this account.
1. Confirm the "Account ID" from Hava
2. Check "Require external ID"
3. Confirm the "External ID" from Hava
4. Uncheck "Require MFA"

Attach permissions policies
1. "Filter policies" In the search box enter in the name you gave the new Hava policy, you may need to click the "Refresh" button, once found click on the select checkbox.
2. Select "Next:Tags" - (you can skip this)
3. Select "Next: Review"
Copy the "Role ARN"

Return to the Hava tab in your browser.
1. Paste the Role ARN into the Hava dialogue box
2. (Optional) Add a friendly name for your source; if left blank, Hava will use your AWS account name.
3. Click "Import"

Video walkthrough

For further assistance, watch the video below on setting up and connecting your AWS account using a cross-account role.

Troubleshooting

Request limit exceeded for (resource)

You can increase these limits in the AWS console, or restrict access to this service in your policy if it's not required.

You can learn more here at AWS:

Elastic beanstalk: AWS Elastic Beanstalk endpoints and quotas
Step Function: AWS Step Functions endpoints and quotas

Failed to authenticate

Please verify that you’ve entered the correct ARN and placed it in the correct input field as outlined in steps 7 and 8.

Failed to create EKS source

This error typically indicates a private cluster. Currently, we only support public clusters.

We’re working on supporting private clusters and hope to offer this feature soon.

PreviousGetting Started with AWS NextRead Only IAM User

Last updated 3 months ago