To create a cross-account function in CloudFormation, you’ll be able to comply with these steps:
1. Create a CloudFormation template
Create a brand new CloudFormation template in YAML or JSON format. This template will outline the sources, together with the cross-account function, that you simply need to create.
2. Outline the cross-account function
Inside your CloudFormation template, outline the cross-account function utilizing the
AWS::IAM::Function useful resource kind. Specify the required properties akin to
RoleName: Present a reputation for the cross-account function.
AssumeRolePolicyDocument: Specify the belief coverage that determines which accounts are allowed to imagine this function. It ought to embody the AWS account ID or ARN of the trusted account(s) that can assume the function.
ManagedPolicyArns: Optionally, you’ll be able to connect managed insurance policies to the function by specifying their Amazon Useful resource Names (ARNs). These insurance policies outline the permissions and entry rights for the function.
3. Grant permissions for cross-account entry
Within the account that might be assuming the cross-account function, it is advisable grant permissions to the trusted account to imagine the function. That is sometimes performed by creating an IAM coverage within the trusted account and attaching it to a person, group, or function.
4. Deploy the CloudFormation stack
Use the AWS Administration Console, AWS CLI, or SDKs to deploy the CloudFormation stack utilizing your template. Guarantee that you’ve got the required permissions in each the trusted and trusting accounts.
When the CloudFormation stack is deployed, it would create the cross-account function within the trusting account. The trusted account(s) can then assume the function and entry sources within the trusting account primarily based on the permissions granted to the function.
It’s essential to make sure that the suitable belief relationships and permissions are in place to securely set up cross-account entry.
Instance of CloudFormation code
Right here’s an instance of CloudFormation code to create a cross-account function:
AWSTemplateFormatVersion: '2010-09-09' Assets: CrossAccountRole: Sort: 'AWS::IAM::Function' Properties: RoleName: MyCrossAccountRole AssumeRolePolicyDocument: Model: '2012-10-17' Assertion: - Impact: Permit Principal: AWS: - 'arn:aws:iam::TRUSTED_ACCOUNT_ID:root' Motion: 'sts:AssumeRole' ManagedPolicyArns: - 'arn:aws:iam::AWS_MANAGED_POLICY_ARN' - 'arn:aws:iam::ANOTHER_MANAGED_POLICY_ARN'
On this instance:
RoleNameproperty units the identify of the cross-account function to “MyCrossAccountRole”. You may change it as per your choice.
AssumeRolePolicyDocumentspecifies the belief coverage permitting solely the trusted account with the desired
TRUSTED_ACCOUNT_IDto imagine the function. Modify
TRUSTED_ACCOUNT_IDto the precise AWS account ID or ARN of the trusted account.
ManagedPolicyArnsproperty means that you can connect a number of managed insurance policies to the function. The instance consists of two instance ARNs (
ANOTHER_MANAGED_POLICY_ARN) which you can change with the precise ARNs of the managed insurance policies you need to connect.
Within the different account (the trusted account), it is advisable create an IAM coverage that grants permissions to imagine the cross-account function created within the trusting account. Right here’s an instance of CloudFormation code which you can run within the trusted account:
AWSTemplateFormatVersion: '2010-09-09' Assets: CrossAccountAccessPolicy: Sort: 'AWS::IAM::Coverage' Properties: PolicyName: CrossAccountAccessPolicy PolicyDocument: Model: '2012-10-17' Assertion: - Impact: Permit Motion: 'sts:AssumeRole' Useful resource: 'arn:aws:iam::TRUSTING_ACCOUNT_ID:function/MyCrossAccountRole' Roles: - Ref: CrossAccountAccessRole CrossAccountAccessRole: Sort: 'AWS::IAM::Function' Properties: RoleName: CrossAccountAccessRole AssumeRolePolicyDocument: Model: '2012-10-17' Assertion: - Impact: Permit Principal: AWS: - 'arn:aws:iam::TRUSTED_ACCOUNT_ID:root' Motion: 'sts:AssumeRole'
On this instance:
CrossAccountAccessPolicyuseful resource defines an IAM coverage named “CrossAccountAccessPolicy” that enables the trusted account to imagine the function created within the trusting account.
PolicyDocumentspecifies the permissions granted by the coverage. On this case, it permits the trusted account to carry out the
sts:AssumeRolemotion on the function with the ARN
TRUSTING_ACCOUNT_IDto the precise AWS account ID or ARN of the trusting account, and alter the function ARN in case you have personalized the function identify.
CrossAccountAccessRoleuseful resource creates a placeholder IAM function with the identify “CrossAccountAccessRole” within the trusted account. The trusted account assumes this function to entry sources within the trusting account.
Bear in mind to exchange the placeholder values and modify the code to suit your particular account IDs, function names, and any extra permissions or insurance policies required.