How to grant cross-account AWS access for CloudFormation StackSets
You want to enable AWS CloudFormation StackSets so that you can create, update, or delete stacks across multiple accounts and regions with a single operation.
Step-by-step guide
This requires an IAM role which (only) the CloudFormation service can assume. The IAM role in turn facilitates a managed IAM policy to govern which specific permissions are granted. To ease getting started, we will reuse the official arn:aws:iam::aws:policy/AdministratorAccess policy at first, though this should be replaced with something more tailored and constrained as we go.
In order to provision this IAM role as infrastructure as code via an AWS CloudFormation template, you'll need to create a CloudFormation stack from our cross-account-cloudformation-access.yaml template (this combines the two documented AWS templates into a single one for ease of use) with a name of your choosing:
To achieve this, you can either log into the AWS Management Console, switch to the AWS region were you want to create the stack, and then click on this
URL, or you can create a stack manually via one of the following approaches:
For the manual approach, when asked to "Specify an Amazon S3 template URL" on the console, please reference the URL of our cross-account-cloudformation-access.yaml template.
Supply the following parameters:
Stack name (rename as you see fit): cross-account-cloudformation-access
ID of your administrator account (required): <your organizational master account>
Managed IAM policy ARN (keep for now): arn:aws:iam::aws:policy/AdministratorAccess
Finally you'll also need to acknowledge that the template creates IAM resources.
Related articles
Amazon Web Services™, AWS™ and the “Powered by Amazon Web Services” logo are trademarks of Amazon.com, Inc. or its affiliates in the United States and/or other countries.
Utoolity® is a registered trademark of Utoolity GmbH.
© 2024 Utoolity GmbH. All rights reserved.