Skip to content
This repository has been archived by the owner. It is now read-only.
A Terraform module to create an IAM Role for Cross Account delegation.
HCL
Branch: develop
Clone or download
Latest commit 0aef922 Jun 5, 2019
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
.gitignore
CHANGELOG.md
LICENSE
README.md Upgrade to Terraform 0.12 compatibility Jun 4, 2019
main.tf
outputs.tf 1.0.0 Jun 5, 2019
variables.tf
versions.tf 1.0.0 Jun 5, 2019

README.md

terraform-aws-cross-account-role

A Terraform module to create an IAM role for cross-account use. This module creates the role in the satellite account, but does not configure access in the source account.

Usage

# Account 111111111111 configuration

# Creates arn:aws:iam::111111111111:role/CrossAccountDeveloper
module "cross_account_role" {
  source                      = "github.com/azavea/terraform-aws-cross-account-role?ref=1.0.0"
  name                        = "CrossAccountDeveloper"
  principal_arns              = ["222222222222","arn:aws:iam::333333333333:user/MyUser"]
  policy_arns                 = ["arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryPowerUser", "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess"]
}
# Account 333333333333 configuration

data "aws_iam_policy_document" "cross_account_assume_role" {
  statement {
    effect = "Allow"

    principals {
      type        = "AWS"
      identifiers = ["arn:aws:iam::333333333333:user/MyUser"]
    }

    resource = ["arn:aws:iam::111111111111:role/CrossAccountDeveloper"]

    actions = ["sts:AssumeRole"]
  }
}

Variables

  • name - Name of the IAM Role you'd like to create.
  • principal_arns - List of ARNs for the AWS accounts, groups, users, or roles that should be able to access this role.
  • policy_arns - List of ARNs of IAM policies to attach to the IAM role.

Outputs

  • role_arn - ARN of the IAM role.
You can’t perform that action at this time.