Attach a Policy or Policies to a Cross-Account Role

Introduction

After you have created a policy or policies, follow this procedure to see how to attach the policy or policies to a cross-account role.


Procedure

  1. From the dashboard, click Roles.
  2. The Roles page opens.

  3. From the middle of the page, click Create role.
  4. The Create role page opens.

  5. In the Select type of trusted entity section, click Another AWS account.
  6. The screen prompts you to add an Account ID value and other options.

    How Do I Retrieve My Account ID from CloudCheckr?

    1. Return to your selected account in CloudCheckr.
    2. Select your account from the Accounts List page.
    3. From the left navigation pane, select Account Settings > AWS Credentials.
    4. Click Toggle Manual vs CloudFormation to create a cross-account role manually.
    5. Copy the account ID identified in the instructions.
  7. Paste the account ID from your CloudCheckr account.
  8. In the Options section, select Require external ID (Best practice when a third party will assume this role).
  9. Information about the external ID displays.


  10. Paste the external ID value from your CloudCheckr account and verify that the Require MFA radio button is not selected.
  11. How Do I Retrieve My External ID from CloudCheckr?

    1. Return to your selected account in CloudCheckr.
    2. From the left navigation pane, select Account Settings > AWS Credentials.
    3. Click Toggle Manual vs CloudFormation to create a cross-account role manually.
    4. Copy the account ID identified in the instructions.

  12. Click Next: Permissions.
  13. A list of policies displays.

  14. Select the checkbox next to the policy or policies that you just added and click Next: Review.
  15. The Review page opens.

  16. Type a name for the role, and click Create role.
  17. A list of roles displays.

  18. From the list, click the name of your new role.
  19. Note: Cross-Account Access is only supported for Standard (Commercial) accounts within CloudCheckr. You cannot change this setting.

    The Summary page opens. Notice the Role ARN value at the top of the page.

    ARN values use this format: arn:aws:iam::YourAccountIDHere:role/CloudCheckrRole.

    For the purposes of this procedure, we have masked the true ARN value.

  20. Click the Copy icon next to the Role ARN.
  21. Select the checkbox if this is an account from India managed by Amazon Internet Services Pvt. Ltd (AISPL).
  22. Paste the Role ARN value in the field.
  23. Click Update.

See Also:

Preparing Your AWS Account