To create a cross-account position in Terraform, you could carry out the next steps:
1. Outline the IAM position
Outline the IAM position within the Terraform configuration
useful resource "aws_iam_role" "cross_account_role" {
title = "CrossAccountRole"
assume_role_policy = <<EOF
{
"Model": "2012-10-17",
"Assertion": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<ACCOUNT_ID>:root"
},
"Action": "sts:AssumeRole"
}
]
}
EOF
}
Within the assume_role_policy
part, change <ACCOUNT_ID>
with the AWS account ID of the goal account that may assume this position.
2. Connect the mandatory insurance policies
Connect the mandatory insurance policies to the position. Insurance policies outline the permissions granted to the position
useful resource "aws_iam_role_policy_attachment" "cross_account_role_attachment" {
position = aws_iam_role.cross_account_role.title
policy_arn = "arn:aws:iam::aws:coverage/AmazonS3ReadOnlyAccess" # Instance coverage
}
Exchange "arn:aws:iam::aws:coverage/AmazonS3ReadOnlyAccess"
with the ARN of the coverage you need to connect to the position.
3. Create a task belief relationship
Create a task belief relationship within the goal AWS account to permit the cross-account entry. This step is carried out outdoors of Terraform. It is advisable log in to the goal AWS account and create a task belief coverage for the position created within the earlier steps.
Right here’s an instance of the belief coverage in JSON format:
{
"Model": "2012-10-17",
"Assertion": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<SOURCE_ACCOUNT_ID>:root"
},
"Action": "sts:AssumeRole"
}
]
}
Exchange <SOURCE_ACCOUNT_ID>
with the AWS account ID the place the position is created.
4. Use the created cross-account position
Use the created cross-account position in different sources by specifying the ARN of the position:
useful resource "aws_s3_bucket" "example_bucket" {
bucket = "example-bucket"
# Specify the ARN of the cross-account position
role_arn = aws_iam_role.cross_account_role.arn
}
Bear in mind to execute terraform init, terraform plan, and terraform apply to initialize the Terraform configuration, plan the adjustments, and apply them to create the cross-account position.
5. What it’s a must to do within the goal account
Along with creating the IAM position within the supply account utilizing Terraform, you additionally must carry out the next steps within the goal account to determine the cross-account entry:
- Log in to the AWS Administration Console of the goal account.
- Navigate to the IAM service.
- Create a brand new IAM position that may assume the cross-account position.
- Connect a belief coverage to the newly created position to permit the supply account to imagine this position.
- Click on on “Belief relationships” for the position.
- Click on on “Edit belief relationship.”
- Specify the belief coverage doc with the mandatory permissions. Right here’s an instance of the belief coverage in JSON format:
{
"Model": "2012-10-17",
"Assertion": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<SOURCE_ACCOUNT_ID>:root"
},
"Action": "sts:AssumeRole"
}
]
}
Exchange <SOURCE_ACCOUNT_ID>
with the AWS account ID the place the cross-account position is created.
- Click on on “Replace Belief Coverage” to save lots of the adjustments.
- As soon as the belief coverage is about up, you should utilize the ARN of the cross-account position within the supply account to grant the mandatory permissions to sources within the goal account.
By configuring the belief coverage within the goal account, you enable the required position within the supply account to imagine the cross-account position and entry sources within the goal account.