How to grant cross-account AWS access for CloudFormation StackSets

You want to enable AWS CloudFormation StackSets  so that you can create, update, or delete stacks across multiple accounts and regions with a single operation.

Step-by-step guide

This requires an IAM role which (only) the CloudFormation service can assume. The IAM role in turn facilitates a managed IAM policy to govern which specific permissions are granted. To ease getting started, we will reuse the official arn:aws:iam::aws:policy/AdministratorAccess policy at first, though this should be replaced with something more tailored and constrained as we go.

In order to provision this IAM role as infrastructure as code via an AWS CloudFormation template, you'll need to create a CloudFormation stack from our cross-account-cloudformation-access.yaml template (this combines the two documented AWS templates into a single one for ease of use) with a name of your choosing:

1. To achieve this, you can either log into the AWS Management Console, switch to the AWS region were you want to create the stack, and then click on this

   

    URL, or you can create a stack manually via one of the following approaches:

   • Creating a Stack on the AWS CloudFormation Console

   • Creating a Stack with the AWS Command Line Interface

   For the manual approach, when asked to "Specify an Amazon S3 template URL" on the console, please reference the URL of our cross-account-cloudformation-access.yaml template.

2. Supply the following parameters:

   1. Stack name (rename as you see fit): cross-account-cloudformation-access

   2. ID of your administrator account (required): <your organizational master account>

   3. Managed IAM policy ARN (keep for now):  arn:aws:iam::aws:policy/AdministratorAccess

3. Finally you'll also need to acknowledge that the template creates IAM resources. 

Related articles