Assume role and deploy resources using CloudFormation / Serverless into a separate account from the root account

0
votes

My client has a root account with sub accounts as environments (dev, test, production). The idea is that a ci_user within the root account assumes a role in each of these and performs deployment from CodeBuild / CodePipeline. They're using serverless to automate the creation of Lambas.

Ideally they want the following:

  • The ci_user exists in the root account
  • The ci_user assumes a role in either the dev, test or production accounts
  • Resources / CloudFormation is executed in those sub accounts, from the root account

Is it possible to assume such role? Or do IAM accounts need creating in those sub accounts for this to work? i.e. use those IAM accounts within sub accounts to perform deployments, and thus, run CodeBuild / CodePipeline deployments from each sub account.

1
amazon-web-servicesamazon-cloudformationserverless-framework

1 Answers

0
votes

I achieved this by using STS and assuming a temp role inline within Codebuild. Documentation found here.

In short, I've added the following. You'll need to change ACCOUNT_ID, ROLE_TO_ASSUME, TEMP_NAME and COMMAND to achieve this.

version: 0.2

phases:
  install:
    runtime-versions:
      nodejs: 14.x
    commands:
      - ASSUME_ROLE_ARN="arn:aws:iam::ACCOUNT_ID:role/ROLE_TO_ASSUME
      - TEMP_ROLE=`aws sts assume-role --role-arn ROLE_TO_ASSUME --role-session-name TEMP_NAME`
      - export TEMP_ROLE
      - export AWS_ACCESS_KEY_ID=$(echo "${TEMP_ROLE}" | jq -r '.Credentials.AccessKeyId')
      - export AWS_SECRET_ACCESS_KEY=$(echo "${TEMP_ROLE}" | jq -r '.Credentials.SecretAccessKey')
      - export AWS_SESSION_TOKEN=$(echo "${TEMP_ROLE}" | jq -r '.Credentials.SessionToken')
  pre_build:
    commands:
      - npm run COMMAND