# Cross Account Role ### Setting up and Connecting Your AWS Account Connecting your AWS account is quick and should take about 10 minutes if you have the required permissions. While we strive to keep our documentation current, AWS may occasionally update their process or UI. If you notice any discrepancies, please contact us at support\[at]hava.io. Prefer a video walkthrough? You can watch it [here](#video-walkthrough). *** ### How to create a Cross Account Role From the Hava Environments screen - select "**Add Environments**" : ![](https://3601125483-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-Loco-kTiJ7Tu_lfPZqb%2Fuploads%2FT2M8CUv7MtaYTJfKYfPF%2FHava_Add_New_Cloud_Environment.jpg?alt=media\&token=99ac2214-0cfc-4091-808e-2315b2033dab) *** ### Create you IAM policy #### Log in to your AWS Console In a separate browser tab - log in to your AWS Console. 1. Navigate to **IAM > Policies** to create a new policy that your Hava Cross-Account role can use 2. Click **"Create Policy"** 3. Select the **JSON** tab

Paste the following JSON code (click > to expand)

{% code fullWidth="true" %} ```json { "Version": "2012-10-17", "Statement": [ { "Action": [ "acm:DescribeCertificate", "acm:GetCertificate", "acm:ListCertificates", "apigateway:GET", "appsync:GetApiCache", "appsync:ListApiKeys", "appsync:ListDataSources", "appsync:ListDomainNames", "appsync:ListFunctions", "appsync:ListGraphqlApis", "appsync:ListResolvers", "appsync:ListSourceApiAssociations", "appsync:ListTagsForResource", "appsync:ListTypes", "appstream:Get*", "autoscaling:Describe*", "cloudformation:List*", "cloudfront:Get*", "cloudfront:List*", "cloudhsm:DescribeBackups", "cloudhsm:DescribeClusters", "cloudhsm:GetResourcePolicy", "cloudhsm:ListTags", "cloudsearch:Describe*", "cloudsearch:List*", "cloudtrail:DescribeTrails", "cloudtrail:GetTrailStatus", "cloudwatch:Describe*", "cloudwatch:Get*", "cloudwatch:List*", "codecommit:BatchGetRepositories", "codecommit:Get*", "codecommit:GitPull", "codecommit:List*", "codedeploy:Batch*", "codedeploy:Get*", "codedeploy:List*", "config:Deliver*", "config:Describe*", "config:Get*", "datapipeline:DescribeObjects", "datapipeline:DescribePipelines", "datapipeline:EvaluateExpression", "datapipeline:GetPipelineDefinition", "datapipeline:ListPipelines", "datapipeline:QueryObjects", "datapipeline:ValidatePipelineDefinition", "directconnect:Describe*", "ds:Check*", "ds:Describe*", "ds:Get*", "ds:List*", "ds:Verify*", "dynamodb:DescribeGlobalTable", "dynamodb:DescribeTable", "dynamodb:ListGlobalTables", "dynamodb:ListTables", "dynamodb:ListTagsOfResource", "ec2:Describe*", "ec2:GetConsoleOutput", "ecr:BatchCheckLayerAvailability", "ecr:BatchGetImage", "ecr:DescribeRepositories", "ecr:GetDownloadUrlForLayer", "ecr:ListImages", "ecs:Describe*", "ecs:List*", "eks:Describe*", "eks:List*", "elasticache:Describe*", "elasticache:List*", "elasticbeanstalk:Check*", "elasticbeanstalk:Describe*", "elasticbeanstalk:List*", "elasticbeanstalk:RequestEnvironmentInfo", "elasticbeanstalk:RetrieveEnvironmentInfo", "elasticfilesystem:DescribeFileSystems", "elasticfilesystem:DescribeMountTargetSecurityGroups", "elasticfilesystem:DescribeMountTargets", "elasticfilesystem:DescribeTags", "elasticloadbalancing:Describe*", "elasticmapreduce:Describe*", "elasticmapreduce:List*", "elastictranscoder:List*", "elastictranscoder:Read*", "es:DescribeDomain", "es:DescribeDomainNodes", "es:DescribeDomains", "es:DescribeElasticsearchDomain", "es:DescribeElasticsearchDomainConfig", "es:DescribeElasticsearchDomains", "es:DescribeReservedElasticsearchInstances", "es:DescribeVpcEndpoints", "es:ESHttpGet", "es:ESHttpHead", "es:ListDomainNames", "es:ListTags", "es:ListVpcEndpointAccess", "es:ListVpcEndpoints", "es:ListVpcEndpointsForDomain", "events:DescribeApiDestination", "events:DescribeArchive", "events:DescribeConnection", "events:DescribeEndpoint", "events:DescribeEventBus", "events:DescribeEventSource", "events:DescribePartnerEventSource", "events:DescribeReplay", "events:DescribeRule", "events:ListApiDestinations", "events:ListArchives", "events:ListConnections", "events:ListEndpoints", "events:ListEventBuses", "events:ListEventSources", "events:ListPartnerEventSourceAccounts", "events:ListPartnerEventSources", "events:ListReplays", "events:ListRuleNamesByTarget", "events:ListRules", "events:ListTagsForResource", "events:ListTargetsByRule", "events:TestEventPattern", "firehose:DescribeDeliveryStream", "firehose:ListDeliveryStreams", "firehose:ListTagsForDeliveryStream", "glacier:DescribeJob", "glacier:DescribeVault", "glacier:GetDataRetrievalPolicy", "glacier:GetJobOutput", "glacier:GetVaultAccessPolicy", "glacier:GetVaultLock", "glacier:GetVaultNotifications", "glacier:ListJobs", "glacier:ListMultipartUploads", "glacier:ListParts", "glacier:ListTagsForVault", "glacier:ListVaults", "iam:GenerateCredentialReport", "iam:Get*", "iam:List*", "inspector:Describe*", "inspector:Get*", "inspector:List*", "iot:Describe*", "iot:Get*", "iot:List*", "kafka:DescribeCluster", "kafka:DescribeClusterV2", "kafka:DescribeVpcConnection", "kafka:ListClientVpcConnections", "kafka:ListClusters", "kafka:ListClustersV2", "kafka:ListNodes", "kafka:ListTagsForResource", "kafka:ListVpcConnections", "kinesis:Describe*", "kinesis:DescribeStream", "kinesis:DescribeStreamConsumer", "kinesis:DescribeStreamSummary", "kinesis:ListShards", "kinesis:ListStreamConsumers", "kinesis:ListStreams", "kinesis:ListTagsForStream", "kms:Describe*", "kms:Get*", "kms:List*", "lambda:Get*", "lambda:List*", "logs:Describe*", "logs:Get*", "logs:TestMetricFilter", "machinelearning:Describe*", "machinelearning:Get*", "opsworks:Describe*", "opsworks:Get*", "organizations:ListAccounts", "rds:Describe*", "rds:ListTagsForResource", "redshift:Describe*", "redshift:ViewQueriesInConsole", "route53:Get*", "route53:List*", "route53domains:CheckDomainAvailability", "route53domains:GetDomainDetail", "route53domains:GetOperationDetail", "route53domains:ListDomains", "route53domains:ListOperations", "route53domains:ListTagsForDomain", "s3:GetAccelerateConfiguration", "s3:GetAnalyticsConfiguration", "s3:GetBucket*", "s3:GetInventoryConfiguration", "s3:GetLifecycleConfiguration", "s3:GetMetricsConfiguration", "s3:GetReplicationConfiguration", "s3:List*", "sdb:GetAttributes", "sdb:List*", "sdb:Select*", "ses:Get*", "ses:List*", "sns:Get*", "sns:List*", "sqs:GetQueueAttributes", "sqs:ListQueues", "sqs:ReceiveMessage", "storagegateway:Describe*", "storagegateway:List*", "swf:Count*", "swf:Describe*", "swf:Get*", "swf:List*", "tag:Get*", "trustedadvisor:Describe*", "waf-regional:Get*", "waf-regional:List*", "waf:Get*", "waf:List*", "wafv2:GetWebACL", "wafv2:ListResourcesForWebACL", "wafv2:ListTagsForResource", "wafv2:ListWebACLs", "workspaces:Describe*" ], "Effect": "Allow", "Resource": "*" } ] } ``` {% endcode %}

{% hint style="info" %} ***Note :*** The resources Hava requests access to allow for the most detailed diagrams of your AWS environment. You can remove any permissions you’re not comfortable with, but this may reduce the accuracy of the analysis, both now and as new features and resources are released. {% endhint %} 4. Then click **"Review Policy"** & **"Name"** the new policy.

5. Click **"Create Policy"** and the new policy will be created. *** ### Setup cross account role After setting up your IAM user in AWS, the next step is to configure your cross-account role. 1. Return to Hava and select the Amazon Data Source.
2. Ensure the **"Cross Account Role"** tab is selected.
3. Click the **"Auto Config"** button. This will open the Create Role dialog in your AWS Console with the fields pre-filled.

{% hint style="danger" %} **It’s important to verify the following:**
* Ensure the **"Account ID"** and **"External ID"** match the dialogue window in Hava. * Ensure **"Require MFA"** remains **unchecked** {% endhint %} 4. Click on **Select trusted entity >** **AWS account**

5. 3rd party to perform actions in this account.
1. Confirm the **"Account ID"** from Hava
2. Check **"Require external ID"**
3. Confirm the **"External ID"** from Hava
4. Uncheck **"Require MFA"**

6. Attach permissions policies

1. **"Filter policies"** In the search box enter in the name you gave the new Hava policy, you may need to click the **"Refresh"** button, once found click on the select checkbox.
2. Select **"Next:Tags"** - (you can skip this)
3. Select **"Next: Review"**

7. **Copy** the **"Role ARN"**

8. Return to the Hava tab in your browser. 1. Paste the **Role ARN** into the Hava dialogue box 2. (Optional) Add a friendly name for your source; if left blank, Hava will use your AWS account name. 3. Click **"Import"**

### Video walkthrough For further assistance, watch the video below on setting up and connecting your AWS account using a cross-account role. {% embed url="" %} ### Troubleshooting

Request limit exceeded for (resource)

You can increase these limits in the AWS console, or restrict access to this service in your policy if it's not required. **You can learn more here at AWS:** * Elastic beanstalk: [AWS Elastic Beanstalk endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/elasticbeanstalk.html) * Step Function: [AWS Step Functions endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/step-functions.html)

Failed to authenticate

Please verify that you’ve entered the correct ARN and placed it in the correct input field as outlined in steps 7 and 8.

Failed to create EKS source

This error typically indicates a private cluster. Currently, we only support public clusters. We’re working on supporting private clusters and hope to offer this feature soon.