How to manually add a cross-account role to Cado
There are two main steps to set up cross-account acquisitions:
- Create a Cross-Account IAM Policy and Role in the target AWS account from which the Cado platform will acquire data. This allows Cado to assume the cross-account role for data acquisition.
- Add the Cross-Account IAM Role ARN to the Cado platform to enable access to that AWS account.
This page describes step 2. For step 1, see Manually deploy a cross-account IAM role in AWS.
info
Throughout this guide:
- The primary AWS account is where Cado is deployed (referred to as account
111111111111
). - The target AWS account is where cross-account access is being set up (referred to as account
222222222222
).
Step 2: Add the Target AWS Role ARN to the Cado Platform
Once the cross-account role is created in the target AWS account (222222222222
), add the Role ARN to the Cado platform:
- Log into the Cado platform and go to Settings > Accounts and click Create an account.
- Select AWS from the set of providers.
- The AWS Role option should already be selected.
- Enter the IAM Role ARN created in Step 1, and provide an Account Name. The Account Name should include the AWS account number for clarity.
- The Cado platform will validate the role to ensure it is assumable. Once validated, the account name will appear in the list of available AWS accounts.
- By default, Cado will perform an Account Check to confirm the required permissions are in place for successful acquisitions. You can skip this by unchecking the "Run account check after adding account" option. For more information, refer to the Account Check guide.
Adding the cross-account ARN to Cado can also be automated using Cado’s API. See Automating Cado Cross-Account Creation.