-
Notifications
You must be signed in to change notification settings - Fork 0
/
cross-account-deployment-role.yml
42 lines (37 loc) · 1.22 KB
/
cross-account-deployment-role.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
AWSTemplateFormatVersion: "2010-09-09"
Description: CloudFormation template for deployment cross-account role
Parameters:
ExternalAccountId:
Type: String
ConstraintDescription: Account number is a 12 digit number
Description: AWS Account ID of the external account that will assume the cross account role
AllowedPattern: '\d{12}'
Resources:
DeploymentCrossAccountRole:
Type: AWS::IAM::Role
Properties:
RoleName: crossaccount-deployment-role
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
AWS: !Sub 'arn:aws:iam::${ExternalAccountId}:root'
Action: sts:AssumeRole
Path: '/'
Policies:
- PolicyName: CrossAccountCodePipelinePolicy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- cloudformation:*
- s3:*
- apigateway:*
- cloudfront:*
Resource: '*'
Outputs:
CrossAccountRole:
Description: Arn for the cross account role assumed by the External account
Value: !GetAtt DeploymentCrossAccountRole.Arn