Prerequisites

  • An active MilkStraw AI account
  • AWS account with permissions to create IAM roles and policies
  • Access to the AWS Management Console

Connection Methods

We provide two methods to connect your AWS account. Choose the one that best suits your needs:

CloudFormation Setup

One-click setup using AWS CloudFormation. Fastest and recommended method.

Manual Setup

Step-by-step manual configuration for full control over the process.

1

Deploy Stack

Click the “Deploy” button in the MilkStraw AI dashboard to start the CloudFormation process.

2

Access Level

Choose the access level for the IAM role.

3

Connect Account

Click the “Connect” button in the MilkStraw AI dashboard to apply the CloudFormation template.

4

Create Stack (AWS Console)

Click “Create stack” to deploy the cross account role in your AWS Console.

5

Enter Account Details

Return to MilkStraw AI and provide:

  • Account Nickname (for easy identification)
  • AWS Account Number
  • Role Name (if modified in CloudFormation)

Manual Setup

Creating the IAM Policy

1

Navigate to IAM

Open the AWS Management Console and go to IAM (Identity and Access Management).

2

Create New Policy

Select “Policies” → “Create policy” and switch to the JSON editor.

3

Add Policy JSON

Copy and paste the following policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "application-autoscaling:Describe*",
        "autoscaling:Describe*",
        "ce:Describe*",
        "ce:Get*",
        "ce:List*",
        "cloudwatch:GetMetricData",
        "ec2:Describe*",
        "ec2:AcceptReservedInstancesExchangeQuote",
        "ec2:CancelReservedInstancesListing",
        "ec2:CreateReservedInstancesListing",
        "ec2:DeleteQueuedReservedInstances",
        "ec2:ModifyReservedInstances",
        "ec2:PurchaseHostReservation",
        "ec2:PurchaseReservedInstancesOffering",
        "rds:Describe*",
        "rds:List*",
        "rds:PurchaseReservedDbInstancesOffering",
        "elasticache:List*",
        "elasticache:Describe*",
        "elasticache:PurchaseReservedCacheNodesOffering",
        "es:Describe*",
        "es:List*",
        "es:PurchaseReservedInstanceOffering",
        "organizations:InviteAccountToOrganization",
        "organizations:List*",
        "organizations:Describe*",
        "pricing:DescribeServices",
        "pricing:GetAttributeValues",
        "pricing:GetProducts",
        "savingsplans:Describe*",
        "savingsplans:List*",
        "servicequotas:Get*",
        "servicequotas:List*",
        "support:*"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}
4

Create the Policy

Name it “MilkStrawPolicy” and add a description, then click “Create policy”.

Creating the IAM Role

1

Create Role

In IAM, select “Roles” → “Create role” → “Custom trust policy”.

2

Add Trust Policy

Add the following trust relationship:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::801486250081:root"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "08ead6e9-c39c-4a1c-ae45-a3fdab62c00c"
        }
      }
    }
  ]
}
3

Attach Policy

Select the “MilkStrawPolicy” created earlier.

4

Create the Role

Name the role (e.g., “MilkStrawRole”) and add a description, then click “Create role”.

Completing the Setup

1

Enter Account Details

In the MilkStraw AI dashboard, provide:

  • Account Nickname
  • AWS Account Number
  • Role Name
2

Verify Connection

MilkStraw AI will verify the connection using the provided role and external ID.

Managing Multiple AWS Accounts