Skip to content

Instantly share code, notes, and snippets.

@klang
Last active Feb 4, 2021
Embed
What would you like to do?
The AWS E-learning course "Creating an IAM Role for AWS Partner-Led Support" describes how to make a specific support role, but doesn't provide the actual template. This is an advanced way to roll out the role needed, in a multi account structure.

The AWS E-learning course "Creating an IAM Role for AWS Partner-Led Support" describes how to make a specific support role, but doesn't provide the actual template.

This is an advanced way to roll out the role needed, in a multi account structure. If the Partner-Led customer is using AWS ControlTower or AWS LandingZone or some other home baked control mechanism under AWS Organizations, a StackSet is probably the way to go.

---
AWSTemplateFormatVersion: '2010-09-09'
Description: Cross account ReadOnly and Support access for Partner-Led Support
Parameters:
PartnerAccount:
Type: String
Description: AccountsIDs that need access to this role.
PartnerRoleName:
Type: String
Default: PartnerRoleForReadOnlyAndSupport
AllowedValues:
- PartnerRoleForReadOnlyAndSupport
- partner-support
Description: 'name of the role to use for opening support cases'
Resources:
CrossAccountAccessStackSet:
Type: AWS::CloudFormation::StackSet
Properties:
AutoDeployment:
Enabled: true
RetainStacksOnAccountRemoval: false
Capabilities:
- CAPABILITY_NAMED_IAM
OperationPreferences:
FailureToleranceCount: 5
FailureTolerancePercentage: 5
MaxConcurrentCount: 5
MaxConcurrentPercentage: 5
RegionOrder:
- eu-west-1
PermissionModel: SERVICE_MANAGED
StackSetName: PartnerRoleForReadOnlyAndSupport
Parameters:
- ParameterKey: AccountID
ParameterValue: !Ref PartnerAccount
- ParameterKey: RoleName
ParameterValue: !Ref PartnerRoleName
TemplateBody: |
Parameters:
AccountID:
Type: String
RoleName:
Type: String
Resources:
CrossAccountAccess:
Type: AWS::IAM::Role
Properties:
RoleName: !Ref RoleName
AssumeRolePolicyDocument:
Statement:
- Action: sts:AssumeRole
Effect: Allow
Principal:
AWS: !Sub 'arn:aws:iam::${AccountID}:root'
Condition:
Bool:
aws:MultiFactorAuthPresent: true
Sid: ''
Version: '2012-10-17'
Path: "/"
ManagedPolicyArns:
- arn:aws:iam::aws:policy/ReadOnlyAccess
- arn:aws:iam::aws:policy/AWSSupportAccess
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment