How to You Create a Cross Account Role in CloudFormation

To create a cross-account role in CloudFormation, you can follow these steps:

1. Create a CloudFormation template

Create a new CloudFormation template in YAML or JSON format. This template will define the resources, including the cross-account role, that you want to create.

2. Define the cross-account role

Within your CloudFormation template, define the cross-account role using the AWS::IAM::Role resource type. Specify the necessary properties such as RoleName, AssumeRolePolicyDocument, and ManagedPolicyArns.

• RoleName: Provide a name for the cross-account role.
• AssumeRolePolicyDocument: Specify the trust policy that determines which accounts are allowed to assume this role. It should include the AWS account ID or ARN of the trusted account(s) that will assume the role.
• ManagedPolicyArns: Optionally, you can attach managed policies to the role by specifying their Amazon Resource Names (ARNs). These policies define the permissions and access rights for the role.

3. Grant permissions for cross-account access

In the account that will be assuming the cross-account role, you need to grant permissions to the trusted account to assume the role. This is typically done by creating an IAM policy in the trusted account and attaching it to a user, group, or role.

4. Deploy the CloudFormation stack

Use the AWS Management Console, AWS CLI, or SDKs to deploy the CloudFormation stack using your template. Ensure that you have the necessary permissions in both the trusted and trusting accounts.

When the CloudFormation stack is deployed, it will create the cross-account role in the trusting account. The trusted account(s) can then assume the role and access resources in the trusting account based on the permissions granted to the role.

It’s important to ensure that the appropriate trust relationships and permissions are in place to securely establish cross-account access.

Example of CloudFormation code

Here’s an example of CloudFormation code to create a cross-account role:

AWSTemplateFormatVersion: '2010-09-09'
Resources:
  CrossAccountRole:
    Type: 'AWS::IAM::Role'
    Properties:
      RoleName: MyCrossAccountRole
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              AWS:
                - 'arn:aws:iam::TRUSTED_ACCOUNT_ID:root'
            Action: 'sts:AssumeRole'
      ManagedPolicyArns:
        - 'arn:aws:iam::AWS_MANAGED_POLICY_ARN'
        - 'arn:aws:iam::ANOTHER_MANAGED_POLICY_ARN'

In this example:

• The RoleName property sets the name of the cross-account role to “MyCrossAccountRole”. You can change it as per your preference.
• The AssumeRolePolicyDocument specifies the trust policy allowing only the trusted account with the specified TRUSTED_ACCOUNT_ID to assume the role. Modify TRUSTED_ACCOUNT_ID to the actual AWS account ID or ARN of the trusted account.
• The ManagedPolicyArns property allows you to attach one or more managed policies to the role. The example includes two example ARNs (AWS_MANAGED_POLICY_ARN and ANOTHER_MANAGED_POLICY_ARN) that you can replace with the actual ARNs of the managed policies you want to attach.

In the other account (the trusted account), you need to create an IAM policy that grants permissions to assume the cross-account role created in the trusting account. Here’s an example of CloudFormation code that you can run in the trusted account:

AWSTemplateFormatVersion: '2010-09-09'
Resources:
  CrossAccountAccessPolicy:
    Type: 'AWS::IAM::Policy'
    Properties:
      PolicyName: CrossAccountAccessPolicy
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Action: 'sts:AssumeRole'
            Resource: 'arn:aws:iam::TRUSTING_ACCOUNT_ID:role/MyCrossAccountRole'
      Roles:
        - Ref: CrossAccountAccessRole
  CrossAccountAccessRole:
    Type: 'AWS::IAM::Role'
    Properties:
      RoleName: CrossAccountAccessRole
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              AWS:
                - 'arn:aws:iam::TRUSTED_ACCOUNT_ID:root'
            Action: 'sts:AssumeRole'

In this example:

• The CrossAccountAccessPolicy resource defines an IAM policy named “CrossAccountAccessPolicy” that allows the trusted account to assume the role created in the trusting account.
• The PolicyDocument specifies the permissions granted by the policy. In this case, it allows the trusted account to perform the sts:AssumeRole action on the role with the ARN 'arn:aws:iam::TRUSTING_ACCOUNT_ID:role/MyCrossAccountRole'. Modify TRUSTING_ACCOUNT_ID to the actual AWS account ID or ARN of the trusting account, and adjust the role ARN if you have customized the role name.
• The CrossAccountAccessRole resource creates a placeholder IAM role with the name “CrossAccountAccessRole” in the trusted account. The trusted account assumes this role to access resources in the trusting account.

Remember to replace the placeholder values and modify the code to fit your specific account IDs, role names, and any additional permissions or policies required.