Click Roles in the IAM console, then select Create role.  Create a role with the Another AWS account scope and use Account ID:837131528613 Attach the policy you created in the previous steps (i.e.: devo-xaccount-cs-policy)  Give this role a name (you will provide this to Devo)  Go into the newly created role and click Trust relationships → Edit trust relationship.  Change the existing policy document to the following, which will only allow for our collector server role to access the policy. | Code Block |
|---|
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::837131528613:role/devo-xaccount-cs-role"
},
"Action": "sts:AssumeRole",
"Condition": {"StringEquals": {"sts:ExternalId": {{YOUR_CONFIGURED_EXTERNALID}}
}
]
} |
| Note |
|---|
New role If you’re deploying your collector using the Cloud collector app, you should use the following role instead of the one above: arn:aws:iam::476382791543:role/devo-xaccount-cc
For more information, please contact us. |
Click Update Trust Policy to finish. | 
