Skip to content

Instantly share code, notes, and snippets.

@yossale

yossale/blogpost_crossAccountRole_roleTemplate.json

Last active May 12, 2020 17:13
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save yossale/f3188ced524e61430e0b488ca039fe60 to your computer and use it in GitHub Desktop.
Save yossale/f3188ced524e61430e0b488ca039fe60 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
blogpost_crossAccountRole_roleTemplate.json
{
"Parameters" : {
"TrustedAccount" : {
"Type" : "String",
"Description" : "Your account id, to be trusted by the user"
},
"ExternalId" : {
"Type" : "String",
"Description" : "Your secret customer unique id"
},
"SnsArn" : {
"Type" : "String",
"Description" : "The ARN of the SNS topic you are listening on"
}
},
"Resources": {
"CrossAccountRole": {
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"AWS": { "Fn::Sub": "arn:aws:iam::${TrustedAccount}:root" }
},
"Condition": {
"StringEquals": {
"sts:ExternalId": { "Ref": "ExternalId" }
}
},
"Sid": ""
}
],
"Version": "2012-10-17"
},
"Path": "/",
"Policies": [
{
"PolicyDocument": {
"Statement": [
{
"Action": [
"ec2:Describe*"
],
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "2012-10-17"
},
"PolicyName": "CustomerAccountAccess"
}
]
},
"Type": "AWS::IAM::Role"
},
"PhoneHomeCustomResource": {
"Properties": {
"ServiceToken": { "Ref": "SnsArn" },
"RoleArn": { "Fn::GetAtt": ["CrossAccountRole", "Arn"] },
"AccountID": { "Ref": "AWS::AccountId" },
"ExternalID": { "Ref": "ExternalId" }
},
"Type": "Custom::PhoneHomeCustomResource",
"Version": "1.0"
}
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment