Home » Software engineering

How to you produce a Cross Account Function in CloudFormation

To produce a cross-account function in CloudFormation, you can follow these actions:

1. Develop a CloudFormation design template

Develop a brand-new CloudFormation design template in YAML or JSON format. This design template will specify the resources, consisting of the cross-account function, that you wish to produce.

2. Specify the cross-account function

Within your CloudFormation design template, specify the cross-account function utilizing the AWS:: IAM:: Function resource type. Define the essential residential or commercial properties such as RoleName, AssumeRolePolicyDocument, and ManagedPolicyArns

  • RoleName: Offer a name for the cross-account function.
  • AssumeRolePolicyDocument: Define the trust policy that identifies which accounts are enabled to presume this function. It must consist of the AWS account ID or ARN of the relied on account( s) that will presume the function.
  • ManagedPolicyArns: Optionally, you can connect handled policies to the function by defining their Amazon Resource Names (ARNs). These policies specify the consents and gain access to rights for the function.

3. Grant consents for cross-account gain access to

In the account that will be presuming the cross-account function, you require to give consents to the relied on account to presume the function. This is usually done by producing an IAM policy in the relied on account and connecting it to a user, group, or function.

4. Release the CloudFormation stack

Utilize the AWS Management Console, AWS CLI, or SDKs to release the CloudFormation stack utilizing your design template. Guarantee that you have the essential consents in both the relied on and relying on accounts.

When the CloudFormation stack is released, it will produce the cross-account function in the relying on account. The relied on account( s) can then presume the function and gain access to resources in the relying on account based upon the consents given to the function.

It is essential to guarantee that the suitable trust relationships and consents remain in location to firmly develop cross-account gain access to.

Example of CloudFormation code

Here’s an example of CloudFormation code to produce a cross-account function: 

 AWSTemplateFormatVersion: '2010-09-09'.
Resources:.
CrossAccountRole:.
Type: 'AWS:: IAM:: Function'.
Characteristic:.
RoleName: MyCrossAccountRole.
AssumeRolePolicyDocument:.
Variation: '2012-10-17'.
Declaration:.
- Result: Enable.
Principal:.
AWS:.
- 'arn: aws: iam:: TRUSTED_ACCOUNT_ID: root'.
Action: 'sts: AssumeRole'.
ManagedPolicyArns:.
- 'arn: aws: iam:: AWS_MANAGED_POLICY_ARN'.
- 'arn: aws: iam:: ANOTHER_MANAGED_POLICY_ARN'.

In this example:

  • The RoleName residential or commercial property sets the name of the cross-account function to “MyCrossAccountRole”. You can alter it based on your choice.
  • The AssumeRolePolicyDocument defines the trust policy permitting just the relied on account with the defined TRUSTED_ACCOUNT_ID to presume the function. Customize TRUSTED_ACCOUNT_ID to the real AWS account ID or ARN of the relied on account.
  • The ManagedPolicyArns residential or commercial property enables you to connect several handled policies to the function. The example consists of 2 example ARNs ( AWS_MANAGED_POLICY_ARN and ANOTHER_MANAGED_POLICY_ARN) that you can change with the real ARNs of the handled policies you wish to connect.

In the other account (the relied on account), you require to produce an IAM policy that approves consents to presume the cross-account function developed in the relying on account. Here’s an example of CloudFormation code that you can run in the relied on account: 

 AWSTemplateFormatVersion: '2010-09-09'.
Resources:.
CrossAccountAccessPolicy:.
Type: 'AWS:: IAM:: Policy'.
Characteristic:.
PolicyName: CrossAccountAccessPolicy.
PolicyDocument:.
Variation: '2012-10-17'.
Declaration:.
- Result: Enable.
Action: 'sts: AssumeRole'.
Resource: 'arn: aws: iam:: TRUSTING_ACCOUNT_ID: role/MyCrossAccountRole'.
Functions:.
- Ref: CrossAccountAccessRole.
CrossAccountAccessRole:.
Type: 'AWS:: IAM:: Function'.
Characteristic:.
RoleName: CrossAccountAccessRole.
AssumeRolePolicyDocument:.
Variation: '2012-10-17'.
Declaration:.
- Result: Enable.
Principal:.
AWS:.
- 'arn: aws: iam:: TRUSTED_ACCOUNT_ID: root'.
Action: 'sts: AssumeRole'.

In this example:

  • The CrossAccountAccessPolicy resource specifies an IAM policy called “CrossAccountAccessPolicy” that enables the relied on account to presume the function developed in the relying on account.
  • The PolicyDocument defines the consents given by the policy. In this case, it enables the relied on account to carry out the sts: AssumeRole action on the function with the ARN ' arn: aws: iam:: TRUSTING_ACCOUNT_ID: role/MyCrossAccountRole' Customize TRUSTING_ACCOUNT_ID to the real AWS account ID or ARN of the relying on account, and change the function ARN if you have actually tailored the function name.
  • The CrossAccountAccessRole resource develops a placeholder IAM function with the name “CrossAccountAccessRole” in the relied on account. The relied on account presumes this function to gain access to resources in the relying on account.

Keep in mind to change the placeholder worths and customize the code to fit your particular account IDs, function names, and any extra consents or policies needed.

Like this post? Please share to your friends:
Leave a Reply

;-) :| :x :twisted: :smile: :shock: :sad: :roll: :razz: :oops: :o :mrgreen: :lol: :idea: :grin: :evil: :cry: :cool: :arrow: :???: :?: :!: