# Cross Account Role

CloudRunr accesses your AWS account via a cross-account role. In line with AWS IAM policy best practices, CloudRunr requests only the least-privilege permissions. This means we limit the actions we can take and the resources to which those actions can be applied.

The IAM read only role is used during the initial onboarding step (Step 1). It requires read-only permissions (see the [full list here](https://jemo-speech.s3.ap-south-1.amazonaws.com/cloudrunr-readonly.json)) to access historical billing data (via Cost Explorer) and your AWS infrastructure metadata (such as the EC2 instances you are using and whether they are already covered by Compute Savings Plans or Reserved Instances).  After ingesting this data, CloudRunr uses them to map them to other Cloud providers and provide estimates. Once a user is fully onboarded, the read-only role is used again to display cost and comparison estimates whenever a new month's usage is requested on the CloudRunr dashboard, helping users compare their current spending with other Cloud providers.

```json
[
      {
        "PolicyName": "CloudRunRBillingReadOnly",
        "PolicyDocument": {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Action": [
                "budgets:Describe*",
                "budgets:View*",
                "ce:Get*",
                "ce:Describe*",
                "ce:List*",
                "cur:Describe*",
                "cur:Get*",
                "cur:Validate*",
                "pricing:DescribeServices",
                "pricing:GetAttributeValues",
                "pricing:GetProducts",
                "organizations:Describe*",
                "organizations:List*",
                "savingsplans:Describe*",
                "rds:Describe*",
                "rds:List*",
                "elasticache:List*",
                "elasticache:Describe*",
                "redshift:Describe*",
                "es:Describe*",
                "es:List*",
                "billing:Get*",
                "payments:List*",
                "payments:Get*",
                "tax:List*",
                "tax:Get*",
                "consolidatedbilling:Get*",
                "consolidatedbilling:List*",
                "account:GetContactInformation",
                "invoicing:List*",
                "invoicing:Get*",
                "freetier:Get*",
                "ec2:Describe*",
                "lambda:Describe*",
                "ecs:Describe*"
              ],
              "Resource": "*",
              "Effect": "Allow"
            }
          ]
        }
      }
]
```

Please contact our support team for more information. [support@cloudrunr.co](mailto:support@pump.co)

[<br>](https://help.pump.co/security-and-access)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://help.cloudrunr.co/security-and-access/cross-account-role.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.