Creating an IAM cross-account role (Role ARN)  with a ReadOnlyAccess policy is a key aspect of AWS account settings by enabling improved reporting capabilities within the platform. (This step is optional, yet highly recommended.)


To complete the steps outlined in this article, you need to have the StreamOne Ion console and the AWS account console open at the same time. 


From the StreamOne Ion Management Console 

  • Navigate to the Customers module
  • Select a customer 
  • On the left side of the Customer Profile screen, expand the Cloud Billing folder, then click on Cloud Account
  • Click on the AWS Account Number to open the account dialog box, then scroll to the bottom
  • Click Role ARN to view the Role ARN instructions.  
  • Once you have validated the Role ARN, click Save.  Otherwise, click the Later button.


We recommend you use two browsers so you can toggle between the AWS console and the StreamOne Ion platform. The instructions below are also provided in StreamOne Ion under the Cloud Account window.



1.    Login to your Amazon IAM console

2.    Select "Roles" from the menu list

3.    Click "Create Role"

4.    Click "AWS Account"

5.    Select "Another AWS Account"

6.    Enter the Account ID: 328676173091

7.    Under "Options" check the box next to "Require external ID (Best practice when a third party will assume this role)"

 Enter the External ID: CA****** (This ID number is unique to each AWS account.)

***Leave the "Require MFA" field blank - MFA for third-party access is not supported at this time and accounts used for access have MFA enabled.

8.   Click "Next"

9.   Search for the "ReadOnlyAccess" policy and check the box next to ReadOnlyAccess


Optional: To enable the policy for the Security and Compliance Report, in the policy list, search for AWSSupportAccess and check the box on the left. Business Support is required for this report.  For more information, please read the Knowledge Base article: AWS Security and Compliance Report.


10.   Enter a Role Name. Example: TDSReadOnly (Maximum 128 characters). (Use alphanumeric and '+=,.@-_' characters; no spaces.)

11.   Enter a Description. Add a brief explanation for this policy. Example: Read Only Access for billing. maximum of 128 characters. (Use alphanumeric and '+=,@-_' characters.)

12.  Click "Create Role

13.  Click on the recently created Role Name to access the Summary Screen

14.  Click the "Copy to Clipboard" icon located on the left of the Role ARN value, to copy the value.

15.  Back in StreamOne Ion, paste the Role ARN value in the Role ARN dialog box (see below)

16.  Click the "Not Checked/Check Now" action function to confirm role validation in the platform. Once the green Verified status appears, click "Save". If a red "No Access" message appears, please recheck the Role ARN value, making sure there is no space in front or behind the value when pasted. If the ARN Value is still not validating, please confirm the ReadOnlyAccess policy was properly created.

17.  Enter the Role description (optional)

18.  Save


Video Tutorial:  How to Create the Role ARN for AWS Accounts in StreamOne Ion


Highly recommended TDS training class: Setting Up and Managing your AWS Business on StreamOne Ion. This training will assist you in understanding how StreamOne Ion handles AWS business complexities, setting up your AWS business, understanding reports, and reconciling billing data. (This is partner-facing training.) 

To submit a support request, in StreamOne Ion, click the "?" icon in the upper right menu bar or click the Support button in the menu. Alternatively, you can click Submit a ticket in the Knowledge Base. Fill out all mandatory fields, or read How to Use StreamOne Freshdesk to Submit and View Support Tickets for more information.