Tuesday, July 7, 2026
HomeSoftware Engineeringyou create a Cross Account Position in CloudFormation

you create a Cross Account Position in CloudFormation

[ad_1]

To create a cross-account function in CloudFormation, you may comply with these steps:

1. Create a CloudFormation template

Create a brand new CloudFormation template in YAML or JSON format. This template will outline the sources, together with the cross-account function, that you just wish to create.

2. Outline the cross-account function

Inside your CloudFormation template, outline the cross-account function utilizing the AWS::IAM::Position useful resource sort. Specify the mandatory properties akin to RoleName, AssumeRolePolicyDocument, and ManagedPolicyArns.

  • RoleName: Present a reputation for the cross-account function.
  • AssumeRolePolicyDocument: Specify the belief coverage that determines which accounts are allowed to imagine this function. It ought to embrace the AWS account ID or ARN of the trusted account(s) that can assume the function.
  • ManagedPolicyArns: Optionally, you may connect managed insurance policies to the function by specifying their Amazon Useful resource Names (ARNs). These insurance policies outline the permissions and entry rights for the function.

3. Grant permissions for cross-account entry

Within the account that can be assuming the cross-account function, it’s essential grant permissions to the trusted account to imagine the function. That is usually carried out by creating an IAM coverage within the trusted account and attaching it to a person, group, or function.

4. Deploy the CloudFormation stack

Use the AWS Administration Console, AWS CLI, or SDKs to deploy the CloudFormation stack utilizing your template. Guarantee that you’ve got the mandatory permissions in each the trusted and trusting accounts.

When the CloudFormation stack is deployed, it is going to create the cross-account function within the trusting account. The trusted account(s) can then assume the function and entry sources within the trusting account based mostly on the permissions granted to the function.

It’s necessary to make sure that the suitable belief relationships and permissions are in place to securely set up cross-account entry.

Instance of CloudFormation code

Right here’s an instance of CloudFormation code to create a cross-account function:

AWSTemplateFormatVersion: '2010-09-09'
Sources:
  CrossAccountRole:
    Kind: 'AWS::IAM::Position'
    Properties:
      RoleName: MyCrossAccountRole
      AssumeRolePolicyDocument:
        Model: '2012-10-17'
        Assertion:
          - Impact: Enable
            Principal:
              AWS:
                - 'arn:aws:iam::TRUSTED_ACCOUNT_ID:root'
            Motion: 'sts:AssumeRole'
      ManagedPolicyArns:
        - 'arn:aws:iam::AWS_MANAGED_POLICY_ARN'
        - 'arn:aws:iam::ANOTHER_MANAGED_POLICY_ARN'

On this instance:

  • The RoleName property units the identify of the cross-account function to “MyCrossAccountRole”. You possibly can change it as per your desire.
  • The AssumeRolePolicyDocument specifies the belief coverage permitting solely the trusted account with the desired TRUSTED_ACCOUNT_ID to imagine the function. Modify TRUSTED_ACCOUNT_ID to the precise AWS account ID or ARN of the trusted account.
  • The ManagedPolicyArns property permits you to connect a number of managed insurance policies to the function. The instance consists of two instance ARNs (AWS_MANAGED_POLICY_ARN and ANOTHER_MANAGED_POLICY_ARN) that you could substitute with the precise ARNs of the managed insurance policies you wish to connect.

Within the different account (the trusted account), it’s essential create an IAM coverage that grants permissions to imagine the cross-account function created within the trusting account. Right here’s an instance of CloudFormation code that you could run within the trusted account:

AWSTemplateFormatVersion: '2010-09-09'
Sources:
  CrossAccountAccessPolicy:
    Kind: 'AWS::IAM::Coverage'
    Properties:
      PolicyName: CrossAccountAccessPolicy
      PolicyDocument:
        Model: '2012-10-17'
        Assertion:
          - Impact: Enable
            Motion: 'sts:AssumeRole'
            Useful resource: 'arn:aws:iam::TRUSTING_ACCOUNT_ID:function/MyCrossAccountRole'
      Roles:
        - Ref: CrossAccountAccessRole
  CrossAccountAccessRole:
    Kind: 'AWS::IAM::Position'
    Properties:
      RoleName: CrossAccountAccessRole
      AssumeRolePolicyDocument:
        Model: '2012-10-17'
        Assertion:
          - Impact: Enable
            Principal:
              AWS:
                - 'arn:aws:iam::TRUSTED_ACCOUNT_ID:root'
            Motion: 'sts:AssumeRole'

On this instance:

  • The CrossAccountAccessPolicy useful resource defines an IAM coverage named “CrossAccountAccessPolicy” that enables the trusted account to imagine the function created within the trusting account.
  • The PolicyDocument specifies the permissions granted by the coverage. On this case, it permits the trusted account to carry out the sts:AssumeRole motion on the function with the ARN 'arn:aws:iam::TRUSTING_ACCOUNT_ID:function/MyCrossAccountRole'. Modify TRUSTING_ACCOUNT_ID to the precise AWS account ID or ARN of the trusting account, and regulate the function ARN when you’ve got custom-made the function identify.
  • The CrossAccountAccessRole useful resource creates a placeholder IAM function with the identify “CrossAccountAccessRole” within the trusted account. The trusted account assumes this function to entry sources within the trusting account.

Keep in mind to exchange the placeholder values and modify the code to suit your particular account IDs, function names, and any extra permissions or insurance policies required.

[ad_2]

RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Most Popular

Recent Comments