To create a cross-account role in CloudFormation, you can follow these steps:
1. Create a CloudFormation template
Create a new CloudFormation template in YAML or JSON format. This template will define the resources, including the cross-account role, that you want to create.
2. Define the cross-account role
Within your CloudFormation template, define the cross-account role using the
AWS::IAM::Role resource type. Specify the necessary properties such as
RoleName: Provide a name for the cross-account role.
AssumeRolePolicyDocument: Specify the trust policy that determines which accounts are allowed to assume this role. It should include the AWS account ID or ARN of the trusted account(s) that will assume the role.
ManagedPolicyArns: Optionally, you can attach managed policies to the role by specifying their Amazon Resource Names (ARNs). These policies define the permissions and access rights for the role.
3. Grant permissions for cross-account access
In the account that will be assuming the cross-account role, you need to grant permissions to the trusted account to assume the role. This is typically done by creating an IAM policy in the trusted account and attaching it to a user, group, or role.
4. Deploy the CloudFormation stack
Use the AWS Management Console, AWS CLI, or SDKs to deploy the CloudFormation stack using your template. Ensure that you have the necessary permissions in both the trusted and trusting accounts.
When the CloudFormation stack is deployed, it will create the cross-account role in the trusting account. The trusted account(s) can then assume the role and access resources in the trusting account based on the permissions granted to the role.
It’s important to ensure that the appropriate trust relationships and permissions are in place to securely establish cross-account access.
Example of CloudFormation code
Here’s an example of CloudFormation code to create a cross-account role:
In this example:
RoleNameproperty sets the name of the cross-account role to “MyCrossAccountRole”. You can change it as per your preference.
AssumeRolePolicyDocumentspecifies the trust policy allowing only the trusted account with the specified
TRUSTED_ACCOUNT_IDto assume the role. Modify
TRUSTED_ACCOUNT_IDto the actual AWS account ID or ARN of the trusted account.
ManagedPolicyArnsproperty allows you to attach one or more managed policies to the role. The example includes two example ARNs (
ANOTHER_MANAGED_POLICY_ARN) that you can replace with the actual ARNs of the managed policies you want to attach.
In the other account (the trusted account), you need to create an IAM policy that grants permissions to assume the cross-account role created in the trusting account. Here’s an example of CloudFormation code that you can run in the trusted account:
In this example:
CrossAccountAccessPolicyresource defines an IAM policy named “CrossAccountAccessPolicy” that allows the trusted account to assume the role created in the trusting account.
PolicyDocumentspecifies the permissions granted by the policy. In this case, it allows the trusted account to perform the
sts:AssumeRoleaction on the role with the ARN
TRUSTING_ACCOUNT_IDto the actual AWS account ID or ARN of the trusting account, and adjust the role ARN if you have customized the role name.
CrossAccountAccessRoleresource creates a placeholder IAM role with the name “CrossAccountAccessRole” in the trusted account. The trusted account assumes this role to access resources in the trusting account.
Remember to replace the placeholder values and modify the code to fit your specific account IDs, role names, and any additional permissions or policies required.