Creating an IAM cross-account role with a ReadOnlyAccess policy (Role ARN) is part of the AWS account settings that allows for enhanced reporting features in the platform.


To complete the steps outlined in this article, you need to have the StreamOne Ion console and the AWS account console open at the same time. 


From the StreamOne Ion Management Console 

  • Navigate to the Customers module
  • Select a customer 
  • On the left side of the Customer Profile screen, expand the Cloud Billing folder, then click on Cloud Account
  • Click on the AWS Account Number to open the account dialog box, then scroll to the bottom
  • Click Role ARN to view the Role ARN instructions.  
  • Once you have validated the Role ARN, click Save.  Otherwise, click the Later button.


We recommend you use two browsers so you can toggle between the AWS console and the StreamOne Ion platform. The instructions below are also provided in StreamOne Ion under the Cloud Account window.



1.    Login to your Amazon IAM console

2.    Select "Roles" from the menu list

3.    Click "Create Role"

4.    Click "AWS Account"

5.    Select "Another AWS Account"

6.    Enter the Account ID: 328676173091

7.    Under "Options" check the box next to "Require external ID (Best practice when a third party will assume this role)"

 Enter the External ID: CA****** (This ID number is unique to each AWS account)

***Leave the "Require MFA" field blank - MFA for third-party access is not supported at this time and accounts used for access have MFA enabled.

8.   Click "Next"

9.   Search for the "ReadOnlyAccess" policy and check the box next to ReadOnlyAccess


Optional: To enable the policy for the Security and Compliance Report, in the policy list, search for AWSSupportAccess and check the box on the left. Business Support is required for this report.  For more information, please read the Knowledge Base article: AWS Security and Compliance Report.


10.   Enter a Role Name. Example: TDSReadOnly (Maximum 128 characters. Use alphanumeric and '+=,.@-_' characters; no spaces)

11.   Enter a Description. Add a brief explanation for this policy. Example: Read Only Access for billing. (Maximum 128 characters. Use alphanumeric and '+=,@-_' characters.)

12.  Click "Create Role

13.  Click on the recently created Role Name to access Summary Screen

14.  Click the "Copy to Clipboard" icon located on the left of the Role ARN value, to copy the value.

15.  Back in StreamOne Ion, paste the Role ARN value in the Role ARN dialog box (see below)

16.  Click the "Not Checked/Check Now" action function to confirm role validates in the platform. Once the green Verified status appears, click "Save". If a red "No Access" message appears, please recheck the Role ARN value, making sure there is no space in front or behind the value when pasted. If the ARN Value is still not validating, please confirm the ReadOnlyAccess policy was properly created.

17.  Enter the Role description (optional)

18.  Save


Video Tutorial:  How to Create the Role ARN for AWS Accounts in StreamOne Ion

To submit a support request, in StreamOne Ion, click the "?" icon in the upper right menu bar or click Submit a ticket in the Knowledge Base. Fill out all mandatory fields or read How to Use StreamOne Freshdesk to Submit and View Support Tickets for more information.