Update README

CHANGELOG.md

@@ -1,3 +1,7 @@
+## Version unreleased
+
+* Add cross account AWS IAM capabilities in order to deploy from other AWS accounts.
+
 ## Version 0.2.1
 
 * Fix rsync missing passwords yaml from salt-pillar

README.rst

@@ -197,3 +197,16 @@ By default the ELBs will have a security group opening them to the world on 80 a
 If you set the protocol on an ELB to HTTPS you must include a key called `certificate_name` in the ELB block (as example above) and matching cert data in a key with the same name as the cert under `ssl` (see example above). The `cert` and `key` are required and the `chain` is optional.
 
 The certificate will be uploaded before the stack is created and removed after it is deleted.
+
+Deploy Access
++++++++++++++
+For the purpose of deployment we need to grant limited access to the AWS api. For example to find the master in the stack or to upload to the static S3 bucket. To do this from another account you can put the following in your yaml::
+
+    iam:
+      deploy_account: my-12-digit-AWS-account-id
+
+This will cause the tool to create an IAM policy and role allowing users in the specified account to assume limited priviliges in the account you deploy to. A cloudformation output with the ARN id of this role is also created called ``deployrole``
+
+To assume the role you must have an account with the ``sts:AssumeRole`` privilige and use the tool like so::
+
+    AWS_ROLE_ARN_ID='myARNid' fab aws:cross-account ...