Skip to content
Xplorr Docs

Connect an AWS Account

import { Steps } from ‘@astrojs/starlight/components’;

Connect an AWS Account

Section titled “Connect an AWS Account”

Xplorr connects to AWS using a cross-account IAM role with read-only billing permissions. No access keys, no secrets stored — just a trust relationship between your AWS account and Xplorr’s AWS account.

What Xplorr needs

Section titled “What Xplorr needs”
  • Read access to AWS Cost Explorer (ce:Get*, ce:Describe*)
  • Read access to AWS Organizations if you want to pull data from member accounts

No write permissions are ever requested.

Setup

Section titled “Setup”

  1. Start the connection flow

    In the Xplorr dashboard, go to Settings → Cloud Accounts and click Add Account → Amazon Web Services.

    You’ll see your Xplorr-assigned external ID — copy it, you’ll need it in the next step.

  2. Create the IAM role in AWS

    Open the AWS IAM console and create a new role:

    • Trusted entity type: Another AWS account
    • Account ID: 891377174505 (Xplorr’s AWS account)
    • Require external ID: Yes — paste the external ID from step 1
    • Permissions policy: Attach ReadOnlyAccess or create a custom policy with just the Cost Explorer permissions:
    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": [
            "ce:GetCostAndUsage",
            "ce:GetCostForecast",
            "ce:GetReservationUtilization",
            "ce:GetSavingsPlansUtilization",
            "ce:DescribeCostCategoryDefinition",
            "ce:ListCostCategoryDefinitions",
            "ec2:DescribeInstances",
            "ec2:DescribeRegions",
            "organizations:ListAccounts"
          ],
          "Resource": "*"
        }
      ]
    }

    Give the role a name like XplorRReadOnly.

  3. Paste the role ARN into Xplorr

    Copy the role ARN (format: arn:aws:iam::YOUR_ACCOUNT_ID:role/XplorRReadOnly) and paste it into the Xplorr connection form.

  4. Trigger the first sync

    Click Connect. Xplorr will verify the role works and kick off an initial data pull. The first sync usually takes 2–5 minutes depending on how much billing data you have.

Verify the connection

Section titled “Verify the connection”

Once synced, go to Settings → Cloud Accounts. Your AWS account should show a green status and a timestamp for the last sync.

You can also ask Claude:

“List my connected cloud accounts”

Multiple AWS accounts

Section titled “Multiple AWS accounts”

Repeat the process for each account. If you use AWS Organizations, connect the management (payer) account first — Xplorr can pull data for all member accounts through it.

Troubleshooting

Section titled “Troubleshooting”

AssumeRole failed / unauthorized

Double-check:

  • The external ID in your IAM role trust policy matches exactly what Xplorr showed you
  • The Xplorr AWS account ID (891377174505) is in the trusted entities list

No cost data showing

AWS Cost Explorer has up to 24 hours of data lag. If you just created the account, wait a day and trigger a manual sync from Settings → Cloud Accounts → Sync.