How can I use AssumeRole from another AWS account in a CloudFormation template?

9
votes

I am trying to work out the logic flow for an AWS CloudFormation template that will assume an IAM role that can pull files from a S3 bucket in another AWS account.

What I have so far is:

  1. accountA has a roleA
  2. roleA has policy that allows sts:AssumeRole for a role in accountB :arn:aws:iam::11122233444:role/AllowPullS3
  3. accountB has role(AllowPullS3) with
  4. policy allow:s3 listBucket + get,put,delete
  5. trust relationship for accountA :Action:"sts:AssumeRole"

If I create an EC2 instance manually with the IAM:roleA and then use the CLI to get the assume-role credentials, I can then pull the files from the other account's S3 bucket as expected.

But what do I need to put where in my accountA CF template that will allow the EC2 instance to assume roleB and pull the file from the accountB S3 bucket as part of the formation?

I have tried following a lot of tutorials such as this cfn-iam:init tutorial but still can not fully grasp what goes where.

Thanks for your advice.

Art

1
amazon-web-servicesamazon-ec2amazon-cloudformationamazon-iam
Do you have to use AssumeRole? Would a bucket policy suffice or are you trying to avoid that? If you have manually created the role in accountA, and have attached it to the EC2 instance using the IamInstanceProfile property you could add the role ARN from accountA to a bucket policy on the s3 bucket in accountB if you are happy to do that. It is simpler than messing around with cross account roles.lokulin

1 Answers

2
votes

It is not possible to tell CloudFormation to assume another role.

However, if you have a CLI script/command that works on the Amazon EC2 instance, then just pass that script as User Data. The script will run when your instance starts. User Data can be passed in your CloudFormation template, where the EC2 instance is defined.

See: Running Commands on Your Linux Instance at Launch