To create a cross-account position in CloudFormation, you possibly can comply with these steps:
1. Create a CloudFormation template
Create a brand new CloudFormation template in YAML or JSON format. This template will outline the sources, together with the cross-account position, that you simply need to create.
2. Outline the cross-account position
Inside your CloudFormation template, outline the cross-account position utilizing the AWS::IAM::Position
useful resource kind. Specify the mandatory properties comparable to RoleName
, AssumeRolePolicyDocument
, and ManagedPolicyArns
.
RoleName
: Present a reputation for the cross-account position.AssumeRolePolicyDocument
: Specify the belief coverage that determines which accounts are allowed to imagine this position. It ought to embrace the AWS account ID or ARN of the trusted account(s) that can assume the position.ManagedPolicyArns
: Optionally, you possibly can connect managed insurance policies to the position by specifying their Amazon Useful resource Names (ARNs). These insurance policies outline the permissions and entry rights for the position.
3. Grant permissions for cross-account entry
Within the account that can be assuming the cross-account position, you could grant permissions to the trusted account to imagine the position. That is usually performed by creating an IAM coverage within the trusted account and attaching it to a person, group, or position.
4. Deploy the CloudFormation stack
Use the AWS Administration Console, AWS CLI, or SDKs to deploy the CloudFormation stack utilizing your template. Guarantee that you’ve got the mandatory permissions in each the trusted and trusting accounts.
When the CloudFormation stack is deployed, it can create the cross-account position within the trusting account. The trusted account(s) can then assume the position and entry sources within the trusting account primarily based on the permissions granted to the position.
It’s essential to make sure that the suitable belief relationships and permissions are in place to securely set up cross-account entry.
Instance of CloudFormation code
Right here’s an instance of CloudFormation code to create a cross-account position:
AWSTemplateFormatVersion: '2010-09-09'
Sources:
CrossAccountRole:
Sort: 'AWS::IAM::Position'
Properties:
RoleName: MyCrossAccountRole
AssumeRolePolicyDocument:
Model: '2012-10-17'
Assertion:
- Impact: Enable
Principal:
AWS:
- 'arn:aws:iam::TRUSTED_ACCOUNT_ID:root'
Motion: 'sts:AssumeRole'
ManagedPolicyArns:
- 'arn:aws:iam::AWS_MANAGED_POLICY_ARN'
- 'arn:aws:iam::ANOTHER_MANAGED_POLICY_ARN'
On this instance:
- The
RoleName
property units the title of the cross-account position to “MyCrossAccountRole”. You may change it as per your desire. - The
AssumeRolePolicyDocument
specifies the belief coverage permitting solely the trusted account with the requiredTRUSTED_ACCOUNT_ID
to imagine the position. ModifyTRUSTED_ACCOUNT_ID
to the precise AWS account ID or ARN of the trusted account. - The
ManagedPolicyArns
property permits you to connect a number of managed insurance policies to the position. The instance consists of two instance ARNs (AWS_MANAGED_POLICY_ARN
andANOTHER_MANAGED_POLICY_ARN
) which you could substitute with the precise ARNs of the managed insurance policies you need to connect.
Within the different account (the trusted account), you could create an IAM coverage that grants permissions to imagine the cross-account position created within the trusting account. Right here’s an instance of CloudFormation code which you could run within the trusted account:
AWSTemplateFormatVersion: '2010-09-09'
Sources:
CrossAccountAccessPolicy:
Sort: 'AWS::IAM::Coverage'
Properties:
PolicyName: CrossAccountAccessPolicy
PolicyDocument:
Model: '2012-10-17'
Assertion:
- Impact: Enable
Motion: 'sts:AssumeRole'
Useful resource: 'arn:aws:iam::TRUSTING_ACCOUNT_ID:position/MyCrossAccountRole'
Roles:
- Ref: CrossAccountAccessRole
CrossAccountAccessRole:
Sort: 'AWS::IAM::Position'
Properties:
RoleName: CrossAccountAccessRole
AssumeRolePolicyDocument:
Model: '2012-10-17'
Assertion:
- Impact: Enable
Principal:
AWS:
- 'arn:aws:iam::TRUSTED_ACCOUNT_ID:root'
Motion: 'sts:AssumeRole'
On this instance:
- The
CrossAccountAccessPolicy
useful resource defines an IAM coverage named “CrossAccountAccessPolicy” that permits the trusted account to imagine the position created within the trusting account. - The
PolicyDocument
specifies the permissions granted by the coverage. On this case, it permits the trusted account to carry out thests:AssumeRole
motion on the position with the ARN'arn:aws:iam::TRUSTING_ACCOUNT_ID:position/MyCrossAccountRole'
. ModifyTRUSTING_ACCOUNT_ID
to the precise AWS account ID or ARN of the trusting account, and regulate the position ARN in case you have custom-made the position title. - The
CrossAccountAccessRole
useful resource creates a placeholder IAM position with the title “CrossAccountAccessRole” within the trusted account. The trusted account assumes this position to entry sources within the trusting account.
Bear in mind to interchange the placeholder values and modify the code to suit your particular account IDs, position names, and any further permissions or insurance policies required.