Cross Account Execution Role
This Role resides in the Member AWS Account(s) and is assumed by the Main AWS Account.
When Creating a Member AWS Account(s) in the organization of the Master AWS Account(s), this role is created by the solution/packages/cfn-templates/lib/templates/onboard-account.yaml
template.
Trust Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::${MainAccount}:role/${ApiHandlerRole}",
"arn:aws:iam::${MainAccount}:role/${WorkflowLoopRunnerRole}",
"arn:aws:iam::${MemberAccount}:root"
]
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": ${ExternalId}
}
}
}
]
}
The principals listed above are:
- ApiHandlerRole: A role in the Main AWS account associated with the Service Workbench backend API execution.
- WorkflowLoopRunnerRole: A role in the Main AWS account associated with background workflow execution as initiated by backend API calls.
- The Member AWS account itself.
Permissions
These policies support running analytics.
CloudFormation
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"cloudformation:CreateStack",
"cloudformation:DeleteStack",
"cloudformation:DescribeStacks",
"cloudformation:DescribeStackEvents"
],
"Resource": "*",
"Effect": "Allow"
}
]
}
Cost Explorer
{
"Statement": {
"Action": ["ce:*"],
"Resource": "*",
"Effect": "Allow"
}
}
tip
You will need to ensure that Cost Explorer has been enabled in the member account. See here for more information.
EC2
{
"Statement": {
"Action": ["ec2:*"],
"Resource": "*",
"Effect": "Allow"
}
}
EMR
{
"Statement": {
"Action": ["elasticmapreduce:*"],
"Resource": "*",
"Effect": "Allow"
}
}
IAM
{
"Statement": {
"Action": ["iam:*"],
"Resource": "*",
"Effect": "Allow"
}
}
S3
{
"Statement": {
"Action": ["s3:*"],
"Resource": "*",
"Effect": "Allow"
}
}
SageMaker
{
"Statement": {
"Action": ["sagemaker:*"],
"Resource": "*",
"Effect": "Allow"
}
}
SSM
{
"Statement": {
"Action": ["ssm:*"],
"Resource": "*",
"Effect": "Allow"
}
}