Updating Your IAM Role

Missing data? Things not updating the way they should? Sounds like it's time to update your IAM role.

Article Tags
On This Page
Before you beginUpdate your IAM RoleSee also

At Stax, we're constantly working to improve our offerings. In order to do this, you'll find that periodically you'll be asked to update the IAM role you created so Stax can get the data we need to make things easy.

Why is this a thing? Because we ask for the 'least privilege' we need at all times, we occasionally need to ask for access to new services and features as they become available. Why do we always ask for least privilege? Because we want to ensure that all your AWS accounts are secure, and it's best practice!

This guidance assumes you're subscribed to only the Stax Cost & Compliance module. If your AWS accounts are Stax-managed, Stax takes care of this for you.

If you're unsure how to follow these steps, please raise a support case and we'll be able to assist.

Before you begin

  • Estimated time to complete: 10 minutes
  • Ensure you are a member of the Admin role in your Stax tenancy
  • You need permissions in your AWS accounts to deploy/update CloudFormation stacks

Depending on your AWS account setup, you may need to run this on one or on many different accounts.

Update your IAM Role

For each account, you'll need to:

  1. Log in to the AWS console, ensure you're using the same region you provisioned Stax in.
  2. Switch to CloudFormation, and under the list of stacks, find the one to provision your Stax role. Typically, this will be something like Stax-IAM-role.
  3. Click into the given stack.
  4. On the right hand of the screen, select "Update Stack"
  5. Now, the the "Choose a Template" selector, pick "Specify an Amazon S3 template URL".

Depending on the type of account you're updating, there are two different URLs to choose from:

  1. If it's a Billing account (e.g. it has a billing bucket attached, or is the root of an Organization) - you'll want to use:https://stax-public-resources.s3.amazonaws.com/stax-iam-role-billing-cfn.json
  2. If it's a Service account (everything without a billing account), you'll want to use:https://stax-public-resources.s3.amazonaws.com/stax-iam-role-service-cfn.json

Now, to continue updating the stack:

  1. Hit Next
  2. Leave the existing values as is and press next- They should all match up and be correct, there is no need to change what is already specified. If you have an error about them, you may have specified the wrong type of account.
  3. Scroll to the bottom of the options page and press Next again.
  4. Tick I acknowledge that AWS CloudFormation might create IAM resources and then press update. This simply updates our IAM role, so this is to be expected.

Finally, you'll be redirected back to the list of stacks on success. Give it 5-10 minutes, and then check the state of the Stack (e.g. Stax-IAM-role) we talked about earlier - it should ideally be UPDATE_COMPLETE. If it isn't, then please raise a support case and we'll be able to help.

See also