Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
How you can you create a Cross Account Function in Terraform
To create a cross-account function in Terraform, it is advisable to carry out the next steps:
1. Outline the IAM function
Outline the IAM function within the Terraform configuration
useful resource "aws_iam_role" "cross_account_role" {
identify = "CrossAccountRole"
assume_role_policy = <<EOF
{
"Model": "2012-10-17",
"Assertion": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<ACCOUNT_ID>:root"
},
"Action": "sts:AssumeRole"
}
]
}
EOF
}
Within the assume_role_policy part, substitute <ACCOUNT_ID> with the AWS account ID of the goal account that may assume this function.
2. Connect the mandatory insurance policies
Connect the mandatory insurance policies to the function. Insurance policies outline the permissions granted to the function
useful resource "aws_iam_role_policy_attachment" "cross_account_role_attachment" {
function = aws_iam_role.cross_account_role.identify
policy_arn = "arn:aws:iam::aws:coverage/AmazonS3ReadOnlyAccess" # Instance coverage
}
Exchange "arn:aws:iam::aws:coverage/AmazonS3ReadOnlyAccess" with the ARN of the coverage you need to connect to the function.
3. Create a task belief relationship
Create a task belief relationship within the goal AWS account to permit the cross-account entry. This step is carried out exterior of Terraform. It’s essential to log in to the goal AWS account and create a task belief coverage for the function created within the earlier steps.
Right here’s an instance of the belief coverage in JSON format:
{
"Model": "2012-10-17",
"Assertion": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<SOURCE_ACCOUNT_ID>:root"
},
"Action": "sts:AssumeRole"
}
]
}
Exchange <SOURCE_ACCOUNT_ID> with the AWS account ID the place the function is created.
4. Use the created cross-account function
Use the created cross-account function in different assets by specifying the ARN of the function:
useful resource "aws_s3_bucket" "example_bucket" {
bucket = "example-bucket"
# Specify the ARN of the cross-account function
role_arn = aws_iam_role.cross_account_role.arn
}
Keep in mind to execute terraform init, terraform plan, and terraform apply to initialize the Terraform configuration, plan the adjustments, and apply them to create the cross-account function.
5. What it’s a must to do within the goal account
Along with creating the IAM function within the supply account utilizing Terraform, you additionally must carry out the next steps within the goal account to ascertain the cross-account entry:
- Log in to the AWS Administration Console of the goal account.
- Navigate to the IAM service.
- Create a brand new IAM function that may assume the cross-account function.
- Connect a belief coverage to the newly created function to permit the supply account to imagine this function.
- Click on on “Belief relationships” for the function.
- Click on on “Edit belief relationship.”
- Specify the belief coverage doc with the mandatory permissions. Right here’s an instance of the belief coverage in JSON format:
{
"Model": "2012-10-17",
"Assertion": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<SOURCE_ACCOUNT_ID>:root"
},
"Action": "sts:AssumeRole"
}
]
}
Exchange <SOURCE_ACCOUNT_ID> with the AWS account ID the place the cross-account function is created.
- Click on on “Replace Belief Coverage” to avoid wasting the adjustments.
- As soon as the belief coverage is about up, you should use the ARN of the cross-account function within the supply account to grant the mandatory permissions to assets within the goal account.
By configuring the belief coverage within the goal account, you permit the desired function within the supply account to imagine the cross-account function and entry assets within the goal account.
