Skip to main content

CloudFormation IAM Role Setup


This setup method leverages an AWS CloudFormation Template that creates an IAM role in AWS. The JSON template is accessed from the Cloud Provider Integration setup form in Virtana Platform. Using this template is the simplest and quickest of the three AWS integration setup methods and is recommended over the other setup methods.

You can view a list of permissions granted by the IAM role.

About This Task

When you use the CloudFormation Template to create a new AWS Integration in Virtana Platform, the template creates an AWS stack and populates a read-only IAM role in your AWS account. The IAM role is linked to Virtana Platform using the integration’s Account ID and External ID. Once created, it may take a few minutes for the integration status to be updated.


  • You must have enabled Cost Explorer and created a Cost and Usage Report in AWS.

  • You must have administrator access to both the Virtana Platform and the AWS consoles.

  • Ensure the AWS Security Token Service (STS) is active for all regions in which you have resources.

    If you get the error "Invalid IAM role was rejected" when saving the integration, it indicates STS is inactive in ore or more regions.


  1. In Virtana Platform:

    1. Navigate to Settings>Integrations>Cloud Providers.

      If this is the first time configuring a cloud account, you will see a page stating Configure Your First Cloud Integration.

    2. Click Add Integration and select the appropriate integration type.

    3. Optional: Enter a descriptive name for the integration instance to identify its purpose.

      If no name is given, Virtana Platform provides a unique default name.

  2. Under AWS Authentication, select the IAM role authentication type, and then click the link to Open script in AWS.

    This opens a new tab in AWS.


    Keep Virtana Platform open to the integration setup.

  3. In AWS, do the following:

    1. Check I acknowledge that AWS CloudFormation might create IAM resources.

    2. Select Create Stack.

      This process may take a few minutes. Wait for the message CREATE_COMPLETE before proceeding to the next step.

    3. Select the stack you just created, navigate to the Outputs tab, and copy the Role ARN Value.

      Image of AWS UI showing location of the Role ARN
  4. In the Virtana Platform integration setup form, paste the Role ARN value into the IAM Role ARN field and click Save.

    Make sure there are no extra spaces after you have pasted the value into the field.

  5. In AWS, navigate to AWS Cost Management>Reports and click the name of the report to be used by Virtana Platform as the source of detailed billing data.

  6. On the AWS Report Details page, make note of the S3 bucket name and the report path prefix.

  7. In Virtana Platform, enter the S3 bucket name and report path prefix in the Enable Detailed Billing Analysis field.

This completes the CloudFormation setup of the primary account. If you intend to configure child linked accounts, keep the Virtana Platform integration configuration form open. If you are not configuring linked accounts, you can close the form.


After creating your IAM role, wait 2-5 minutes for AWS to finalize its creation before proceeding to the next steps. This ensures the new role has the correct S3 access permissions when added to Virtana Platform.

Next Steps

If you want to add linked accounts, see Configure Linked Accounts.