Updating Your IAM Role
Missing data? Things not updating the way they should? Sounds like it's time to update your IAM role
At Stax, we're constantly working to improve our offerings. In order to do this, you'll find that periodically you'll be asked to update the IAM role you created so Stax can get the data we need to make things easy.
Why is this a thing? Because we ask for the 'least privilege' we need at all times, we occasionally need to ask for access to new services and features as they become available. Why do we always ask for least privilege? Because we want to ensure that all your AWS accounts are secure, and it's best practice!
Before you begin
- You'll need to be a Stax admin and have access in AWS to create and update IAM roles.
Depending on your AWS Account setup, you may need to run this on one or on many different accounts.
The following applies if you added your accounts either using the Wizard. If you're unsure at any point, please contact firstname.lastname@example.org and we'll be able to assist.
Update your IAM Role
For each account, you'll need to:
- Log in to the AWS console, ensure you're using the same region you provisioned Stax in.
- Switch to CloudFormation, and under the list of stacks, find the one to provision your Stax role. Typically, this will be something like Stax-IAM-role.
- Click into the given stack.
- On the right hand of the screen, select "Update Stack"
- Now, the the "Choose a Template" selector, pick "Specify an Amazon S3 template URL".
Depending on the type of account you're updating, there are two different URLs to choose from:
- If it's a Billing account (e.g. it has a billing bucket attached, or is the root of an Organisation) - you'll want to use:https://stax-public-resources.s3.amazonaws.com/stax-iam-role-billing-cfn.json
- If it's a Service account (everything without a billing account), you'll want to use:https://stax-public-resources.s3.amazonaws.com/stax-iam-role-service-cfn.json
Now, to continue updating the stack:
- Hit Next
- Leave the existing values as is and press next- They should all match up and be correct, there is no need to change what is already specified. If you have an error about them, you may have specified the wrong type of account.
- Scroll to the bottom of the options page and press Next again.
- Tick I acknowledge that AWS CloudFormation might create IAM resources and then press update. This simply updates our IAM role, so this is to be expected.
Finally, you'll be redirected back to the list of stacks on success. Give it a 5-10 minutes, and then check the state of the Stack (e.g. Stax-IAM-role) we talked about earlier - it should ideally be
UPDATE_COMPLETE If it isn't, then please contact support and we'll be able to help.