How to Create a Cross Account Role

Follow these steps to create an AWS cross account role that will allow Hava just enough access to draw diagrams of your infrastructure.

  1. From the main console screen click on Services and then select IAM
    car-1.png

  2. From the IAM menu select Policies and then click Create policy 
    car-2.png

  3. Click on Create Your Own Policy
    car-3.png

  4. Give your policy a name such as HavaPolicy and copy the policy details below for the Policy Document. If there are certain permissions you don't want Hava to have then feel free to remove them - Hava will only import and display resources it has permission for. Once you're happy with the details click Create Policy
    {
    "Version": "2012-10-17",
    "Statement": [
    {
    "Action": [
    "acm:DescribeCertificate",
    "acm:GetCertificate",
    "acm:ListCertificates",
    "apigateway:GET",
    "apigateway:HEAD",
    "apigateway:OPTIONS",
    "appstream:Get*",
    "autoscaling:Describe*",
    "cloudformation:DescribeStackEvents",
    "cloudformation:DescribeStackResource",
    "cloudformation:DescribeStackResources",
    "cloudformation:DescribeStacks",
    "cloudformation:GetTemplate",
    "cloudformation:List*",
    "cloudfront:Get*",
    "cloudfront:List*",
    "cloudsearch:Describe*",
    "cloudsearch:List*",
    "cloudtrail:DescribeTrails",
    "cloudtrail:GetTrailStatus",
    "cloudwatch:Describe*",
    "cloudwatch:Get*",
    "cloudwatch:List*",
    "codecommit:BatchGetRepositories",
    "codecommit:Get*",
    "codecommit:GitPull",
    "codecommit:List*",
    "codedeploy:Batch*",
    "codedeploy:Get*",
    "codedeploy:List*",
    "config:Deliver*",
    "config:Describe*",
    "config:Get*",
    "datapipeline:DescribeObjects",
    "datapipeline:DescribePipelines",
    "datapipeline:EvaluateExpression",
    "datapipeline:GetPipelineDefinition",
    "datapipeline:ListPipelines",
    "datapipeline:QueryObjects",
    "datapipeline:ValidatePipelineDefinition",
    "directconnect:Describe*",
    "ds:Check*",
    "ds:Describe*",
    "ds:Get*",
    "ds:List*",
    "ds:Verify*",
    "dynamodb:DescribeTable",
    "dynamodb:ListTables",
    "ec2:Describe*",
    "ec2:GetConsoleOutput",
    "ecr:GetAuthorizationToken",
    "ecr:BatchCheckLayerAvailability",
    "ecr:GetDownloadUrlForLayer",
    "ecr:GetManifest",
    "ecr:DescribeRepositories",
    "ecr:ListImages",
    "ecr:BatchGetImage",
    "ecs:Describe*",
    "ecs:List*",
    "elasticache:Describe*",
    "elasticache:List*",
    "elasticbeanstalk:Check*",
    "elasticbeanstalk:Describe*",
    "elasticbeanstalk:List*",
    "elasticbeanstalk:RequestEnvironmentInfo",
    "elasticbeanstalk:RetrieveEnvironmentInfo",
    "elasticfilesystem:DescribeMountTargets",
    "elasticfilesystem:DescribeTags",
    "elasticfilesystem:DescribeFileSystems",
    "elasticfilesystem:DescribeMountTargetSecurityGroups"
    "elasticloadbalancing:Describe*",
    "elasticmapreduce:Describe*",
    "elasticmapreduce:List*",
    "elastictranscoder:List*",
    "elastictranscoder:Read*",
    "es:DescribeElasticsearchDomain",
    "es:DescribeElasticsearchDomains",
    "es:DescribeElasticsearchDomainConfig",
    "es:ListDomainNames",
    "es:ListTags",
    "es:ESHttpGet",
    "es:ESHttpHead",
    "events:DescribeRule",
    "events:ListRuleNamesByTarget",
    "events:ListRules",
    "events:ListTargetsByRule",
    "events:TestEventPattern",
    "firehose:Describe*",
    "firehose:List*",
    "glacier:ListVaults",
    "glacier:DescribeVault",
    "glacier:GetDataRetrievalPolicy",
    "glacier:GetVaultAccessPolicy",
    "glacier:GetVaultLock",
    "glacier:GetVaultNotifications",
    "glacier:ListJobs",
    "glacier:ListMultipartUploads",
    "glacier:ListParts",
    "glacier:ListTagsForVault",
    "glacier:DescribeJob",
    "glacier:GetJobOutput",
    "iam:GenerateCredentialReport",
    "iam:Get*",
    "iam:List*",
    "inspector:Describe*",
    "inspector:Get*",
    "inspector:List*",
    "inspector:LocalizeText",
    "inspector:PreviewAgentsForResourceGroup",
    "iot:Describe*",
    "iot:Get*",
    "iot:List*",
    "kinesis:Describe*",
    "kinesis:Get*",
    "kinesis:List*",
    "kms:Describe*",
    "kms:Get*",
    "kms:List*",
    "lambda:List*",
    "lambda:Get*",
    "logs:Describe*",
    "logs:Get*",
    "logs:TestMetricFilter",
    "machinelearning:Describe*",
    "machinelearning:Get*",
    "mobilehub:GetProject",
    "mobilehub:ListAvailableFeatures",
    "mobilehub:ListAvailableRegions",
    "mobilehub:ListProjects",
    "mobilehub:ValidateProject",
    "mobilehub:VerifyServiceRole",
    "opsworks:Describe*",
    "opsworks:Get*",
    "rds:Describe*",
    "rds:ListTagsForResource",
    "redshift:Describe*",
    "redshift:ViewQueriesInConsole",
    "route53:Get*",
    "route53:List*",
    "route53domains:CheckDomainAvailability",
    "route53domains:GetDomainDetail",
    "route53domains:GetOperationDetail",
    "route53domains:ListDomains",
    "route53domains:ListOperations",
    "route53domains:ListTagsForDomain",
    "s3:GetAccelerateConfiguration",
    "s3:GetAnalyticsConfiguration",
    "s3:GetBucket*",
    "s3:GetInventoryConfiguration",
    "s3:GetIpConfiguration",
    "s3:GetLifecycleConfiguration",
    "s3:GetMetricsConfiguration",
    "s3:GetReplicationConfiguration",
    "s3:List*",
    "sdb:GetAttributes",
    "sdb:List*",
    "sdb:Select*",
    "ses:Get*",
    "ses:List*",
    "sns:Get*",
    "sns:List*",
    "sqs:GetQueueAttributes",
    "sqs:ListQueues",
    "sqs:ReceiveMessage",
    "storagegateway:Describe*",
    "storagegateway:List*",
    "swf:Count*",
    "swf:Describe*",
    "swf:Get*",
    "swf:List*",
    "tag:Get*",
    "trustedadvisor:Describe*",
    "waf:Get*",
    "waf:List*",
    "waf-regional:Get*",
    "waf-regional:List*"
    "workspaces:Describe*"
    ],
    "Effect": "Allow",
    "Resource": "*"
    }
    ]
    }
    car-4.png

  5. Next click on Roles and select Create new role
    car-5.png

  6. Select Role for cross-account access for your role type and then select Provide access between your AWS and a 3rd part AWS account
    car-6.png

  7. Now you'll need to jump back to your Hava account quickly and select Add Environments and then Amazon and Cross Account Role. Copy the Account ID and External ID from here into the IAM role details. Make sure Require MFA is NOT checked and then click Next Step
    car-7.pngcar-8.png

  8. Attach the policy you created  in step 4 and then click Next Step
    car-9.png

  9. Give your role a name such as HavaCrossAccountRole and then click Create role to finish creating your cross account role
    car-10.png

  10. Now to get the role ARN - select the role you just created from the list to view it's details, and copy the Role ARN value.
    car-11.png

  11. Jump back to your Hava account and enter this into the Role ARN field, then click Import to get started!
    car-12.png