stackoom
  简体   繁体   中英

Possible to create a policy and share the policy to role across multiple accounts

 原文  2021-08-23 11:45:50       amazon-web-services/ amazon-cloudformation/ amazon-iam

Question

I am trying to create a policy in one AWS account and need to share that policy to a role in multiple accounts (Prod, Dev, Sandbox).

And I can add the AWS accounts number manually and assign AWS Managed Policy to roles and needs to create multiple roles as well.

How can we achieve this?

Here is the code I wrote

 AWSTemplateFormatVersion: '2010-09-09'
Description: 'Create a role that authorizes access to users in another account'
Metadata:
  Version: 0.7
Parameters:
  RoleName:
    Type: String
    Default: R_EC2-Describe-Instance
  MainAccountId:
    Type: String
    Description: >-
     Include the Managed Services Account ID(the account ID where the Main VPC is registered)
    Default: 111111111111
    MaxLength: 12
    MinLength: 12 

Resources:
  AssumeRole:
    Type: AWS::IAM::Policy
    Properties:
      RoleName: !Ref RoleName
      Policies:
          -
            PolicyName: "CoreSVC-Describe-EC2"
            PolicyDocument:
              Version: "2012-10-17"
              Statement:
                -
                  Effect: "Allow"
                  Action: 
                   - 'sts:AssumeRole'
                  Resource: !Join [ "", [ "arn:aws:iam::", !Ref MainAccountId, ":role/R_EC2-Describe-Instance" ] ]
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        ManagedPolicyName: 
          - "arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAcess"  
        Statement:
        - Effect: Allow
          Principal: 
            "AWS": !Join [ "", [ "arn:aws:iam::", !Ref MainAccountId, ":root" ] ]
          Action:
          - sts:AssumeRole
          Condition: {}

1 answers

solution1
 0 ACCPTED  2021-08-25 23:02:49

You can't share an IAM Policy with other accounts, as it doesn't have a resource policy to allow it.

The code sample you've shared is sharing the IAM Role with multiple accounts, which is possible via the role's resource/trust policy.

If you want to share the same policy across multiple accounts, then you should probably use CloudFormation StackSets (as mentioned by @ervin-szilagyi), or some other infrastructure-as-code approach.

If you want to share the role with other accounts, then you've already done it. All that's missing is role in those accounts with access to the sts:AssumeRole action so that it can assume the role you've shared in your code.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Attach policy to a IAM Role AWS Admin Role Policy how to create single dlm policy with multiple tags Adding the custom policy to the Role (taskRole) AWS SAM template share same policy in multiple functions Is it possible to create an Azure Policy Exemption at the same as as the resource being exempted? Cannot attach a Service Role Policy to a Customer Role Create Azure policy with Terraform Why is sts:AssumeRole in the Trust Policy and not the Permissions Policy of a role? Create policy with CloudFormation
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM