2 years ago

Written on June 16, 2021 by Danny Steenman. With a multi-account setup comes a shared services account that acts as a central hub in which AWS Codepipelines are hosted and deploy infrastructure and services to our workload accounts e.g.

To make it possible for the shared services account to access the other AWS accounts it needs to assume a role on the target account.

Next up we need to have an IAM role on the shared service account that assumes the role we created previously on the target account, so it can access the S3 bucket. AWSTemplateFormatVersion: 2010-09-09 Description: A CloudFormation template that creates a role that can assume a role on a target AWS account Parameters: CrossAccountRoleTestARN: Type: String Description: "The ARN of role on the target account that the source account (AWS Codebuild) assumes to access its services" Resources: CodeBuildServiceRole: Properties: Path: / AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: Service: codebuild.amazonaws.com Action: sts:AssumeRole ManagedPolicyArns: - !Ref CrossAccountAssumePolicy