1. Home
  2. Setup
  3. Update AWS Account Permissions for PyraCloud

Update AWS Account Permissions for PyraCloud

IMPORTANT: This is a technical procedure and should be executed by a person with an advanced understanding of AWS, CloudFormation, and IAM policies and roles.


As new features and functionality are introduced in PyraCloud, there is the occasional need to update the permissions that PyraCloud has to access your AWS account.

PyraCloud is “secure by default” and uses a very restrictive set of permissions. As a result, when a new feature or functionality is added to PyraCloud, it is likely that the permissions required have not already been granted.

Follow these steps to update your AWS Account permissions so that PyraCloud can function correctly.

NOTE: This only applies to AWS Accounts that were added to PyraCloud via the “Add Cloud Account” functionality in Cloud Tenant Setup.

Update PyraCloud Permissions

Sign in to the AWS Console

Navigate to https://aws.amazon.com/console/ and sign in to the AWS Console as a user with permission to modify IAM resources.

Figure 1 – Log in to the AWS Console

In the AWS console, click the Services menu item to open the list of services. Under Management and Governance group click the CloudFormation item.

Figure 2 – Click Services, then CloudFormation

Locate the PyraCloud Stack

Once in the CloudFormation console, select the correct region by clicking the region selection at the top right side of the screen. You may need to cycle through the region until you find the PyraCloud stack (typically named, PyraCloud-Onboarding).

Click the radio button next to the stack.

Click Update at the top right of the Stacks list.

Figure 3 – PyraCloud Stack

Update the Stack

On the Update Stack screen, select “Replace Current Template”. In the Specify template section, select Amazon S3 URL and paste the following link into the Amazon S3 URL textbox: https://iepapp0168sda.s3-eu-west-1.amazonaws.com/pyracloud_onboarding.json.

Click Next.

Figure 4 – Update Stack

On the Specify stack details screen, in the Parameters section, leave the ExternalId, PyraCloudProcessId, and PyraCloudTenantId fields as they are.

Click Next.

Figure 5 – Specify Stack Details

On the Configure stack options screen, leave all values as they are.

Click Next.

Figure 6 – Configure Stack Options

On the Review PyraCloud-Onboarding screen, review the changes that will be made to the stack. In the Capabilities section, check the ‘I acknowledge that AWS CloudFormation might create IAM resources with custom names’ box.

Click Update Stack.

Figure 7 – Review PyraCloud Onboarding

On the PyraCloud-Onboarding screen, refresh the screen until the stack moves from UPDATE_IN_PROGRESS status to UPDATE_COMPLETE.

Figure 8 – Update in Progress Status
Figure 9 – Update Complete Status

Update Complete

The update process is complete. You may need to wait up to 24 hours for your AWS Account to become healthy in PyraCloud.

Permissions Change Log

At any time, you can view the contents of the CloudFormation script including the permissions required by PyraCloud by clicking here.

The following changes have been made to the CloudFormation script:

October 29th, 2019

Re-onboard AWS Recommendations

You’ll need the below permissions in order to view AWS Recommendations from AWS Trusted Advisor within PyraCloud.

  • support:*
  • trustedadvisor:Describe*

Please follow the steps here to re-onboard your AWS account with the permissions described above.

Update read and write-back permissions for AWS resources

  1. If you are unable to read resources (i.e. missing read permissions for AWS resources), then please follow the instructions as mentioned here.
  2. If you are unable to tag resources (i.e. missing write-back permissions for AWS resources), then please follow the instructions as below:
    • Navigate to IAM within the AWS portal as below
Figure 10 – Navigate to IAM
  • Locate PyraCloudRole
Figure 11 – Locate PyraCloudRole
  • Navigate to details of that role and ensure that ReadWritePolicy is attached
Figure 12 – Check if PyraCloudReadWritePolicy is attached
  • If role not attached, Click on Attach policies
Figure 13 – Attach PyraCloudReadWritePolicy
  • Type “PyraCloudReadWrite” policy in search box. Select checkbox and click Attach policy
Figure 14 – PyraCloudReadWrite Search

Ideally, the role should now be attached, and write-back permissions should have been added. To confirm, please check the Resources module of PyraCloud by syncing the relevant AWS accounts.

September 2nd, 2019

Added the following permissions to support synchronizing tags to and from more resource types:

  • elasticloadbalancing:DescribeLoadBalancers
  • lightsail:GetInstances
  • lightsail:GetStaticIps
  • lightsail:GetInstanceSnapshots
  • s3:GetBucketLocation
  • cloudtrail:DescribeTrails
  • ce:GetRightsizingRecommendation
  • ce:GetReservationPurchaseRecommendation
Updated on April 28, 2021

Was this article helpful?

Related Articles