Using AWS CLI To Create a Cross-Account Role Policy

Introduction

The AWS Command Land Interface (CLI) tool allows users to interact directly with the public APIs of AWS services from a terminal program in order to better manage or customize those services.

Follow the steps in this procedure to use AWS CLI to create a cross-account role policy.


  1. Login to the AWS Management Console.
  2. The Welcome to Identity and Access Management screen displays.

  3. From the left navigation pane, click Users.
  4. A list of AWS users displays.

  5. Click your IAM user name.
  6. The Summary screen displays.

  7. Click the Security credentials tab and click the Create access key button.
  8. The Create access key dialog box opens and displays the access key ID.

  9. Click the Show tab to display the secret access key.
  10. Click the Download .csv file to download the key pair.
  11. Copy the keys to a secure location on your PC.
  12. From the Microsoft Windows commmand prompt, type aws configure and press Enter.
  13. Paste the AWS access key ID and AWS secret access key that you generated earlier.
  14. Type the name of the AWS region.
  15. Type json as the default output format.
  16. Create a new text file and name it assume-cross-account-role-policy.json. Copy and paste the following code into this file:
    assume cross-account-role policy
    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Principal": {
            "AWS": "arn:aws:iam::087544996801:root"
          },
          "Action": "sts:AssumeRole",
          "Condition": {
            "StringEquals": {
              "sts:ExternalId": "CC-6D592DC16AE2AE80456FCF34DF984EA5"
            }
          }
        }
      ]
    }
    
  17. Create another text file and name it full-readonly-policy.json.
  18. Copy and paste the following code into this file:
  19. full read-only policy
    {
     "Version": "2012-10-17",
     "Statement": [
     {
     "Sid": "FullPolicy",
     "Action": [
     "acm:DescribeCertificate",
     "acm:ListCertificates",
     "acm:GetCertificate",
     "autoscaling:Describe*",
     "cloudformation:DescribeStacks",
     "cloudformation:GetStackPolicy",
     "cloudformation:GetTemplate",
     "cloudformation:ListStackResources",
     "cloudfront:List*",
     "cloudfront:GetDistributionConfig",
     "cloudfront:GetStreamingDistributionConfig",
     "cloudhsm:Describe*",
     "cloudhsm:List*",
     "cloudsearch:Describe*",
     "cloudtrail:DescribeTrails",
     "cloudtrail:GetTrailStatus",
     "cloudwatch:DescribeAlarms",
     "cloudwatch:GetMetricStatistics",
     "cloudwatch:ListMetrics",
     "config:DescribeConfigRules",
     "config:GetComplianceDetailsByConfigRule",
     "config:Describe*",
     "datapipeline:ListPipelines",
     "datapipeline:GetPipelineDefinition",
     "datapipeline:DescribePipelines",
     "directconnect:DescribeLocations",
     "directconnect:DescribeConnections",
     "directconnect:DescribeVirtualInterfaces",
     "dynamodb:ListTables",
     "dynamodb:DescribeTable",
     "dynamodb:ListTagsOfResource",
     "ec2:Describe*",
     "ec2:GetConsoleOutput",
     "ecs:ListClusters",
     "ecs:DescribeClusters",
     "ecs:ListContainerInstances",
     "ecs:DescribeContainerInstances",
     "ecs:ListServices",
     "ecs:DescribeServices",
     "ecs:ListTaskDefinitions",
     "ecs:DescribeTaskDefinition",
     "ecs:ListTasks",
     "ecs:DescribeTasks",
     "elasticache:Describe*",
     "elasticache:ListTagsForResource",
     "elasticbeanstalk:Describe*",
     "elasticfilesystem:Describe*",
     "elasticloadbalancing:Describe*",
     "elasticmapreduce:Describe*",
     "elasticmapreduce:ListSteps",
     "elasticmapreduce:ListInstanceGroups",
     "elasticmapreduce:ListBootstrapActions",
     "elasticmapreduce:ListClusters",
     "elasticmapreduce:ListInstances",
     "es:ListDomainNames",
     "es:DescribeElasticsearchDomains",
     "glacier:List*",
     "glacier:DescribeVault",
     "glacier:GetVaultNotifications",
     "glacier:DescribeJob",
     "glacier:GetJobOutput",
     "iam:Get*",
     "iam:List*",
     "iam:GenerateCredentialReport",
     "iot:DescribeThing",
     "iot:ListThings",
     "iam:GenerateCredentialReport",
     "kinesis:ListStreams",
     "kinesis:DescribeStream",
     "kinesis:GetShardIterator",
     "kinesis:GetRecords",
     "kms:Describe*",
     "kms:Get*",
     "kms:List*",
     "lambda:ListFunctions",
     "lambda:ListTags",
     "rds:Describe*",
     "rds:ListTagsForResource",
     "redshift:Describe*",
     "redshift:ViewQueriesInConsole",
     "route53:ListHealthChecks",
     "route53:ListHostedZones",
     "route53:ListResourceRecordSets",
     "s3:GetBucketACL",
     "s3:GetBucketLocation",
     "s3:GetBucketLogging",
     "s3:GetBucketPolicy",
     "s3:GetBucketTagging",
     "s3:GetBucketWebsite",
     "s3:GetBucketNotification",
     "s3:GetLifecycleConfiguration",
     "s3:GetObject",
     "s3:GetObjectMetadata",
     "s3:GetNotificationConfiguration",
     "s3:List*",
     "ses:ListIdentities",
     "ses:GetSendStatistics",
     "ses:GetIdentityDkimAttributes",
     "ses:GetIdentityVerificationAttributes",
     "ses:GetSendQuota",
     "sdb:ListDomains",
     "sdb:DomainMetadata",
     "support:*",
     "swf:ListClosedWorkflowExecutions",
     "swf:ListDomains",
     "swf:ListActivityTypes",
     "swf:ListWorkflowTypes",
     "sns:GetTopicAttributes",
     "sns:GetSubscriptionAttributes",
     "sns:ListTopics",
     "sns:ListSubscriptionsByTopic",
     "sns:GetSnsTopic",
     "ssm:List*",
     "sqs:ListQueues",
     "sqs:GetQueueAttributes",
     "storagegateway:Describe*",
     "storagegateway:List*",
     "workspaces:DescribeWorkspaceDirectories",
     "workspaces:DescribeWorkspaceBundles",
     "workspaces:DescribeWorkspaces",
     "Organizations:List*",
     "Organizations:Describe*"
     ],
     "Effect": "Allow",
     "Resource": "*"
     },
     {
     "Sid": "CloudWatchLogsSpecific",
     "Effect": "Allow",
     "Action": [
     "logs:GetLogEvents",
     "logs:DescribeLogGroups",
     "logs:DescribeLogStreams"
     ],
     "Resource": [
     "arn:aws:logs:*:*:*"
     ]
     }
     ]
    }
    
  20. In the assume-cross-account-role-policy.json, replace the “external ID” and the “role_account_id” with the IDs provided when you created the account:
  21.  {
        "account_status": "Success",
        "cc_account_id": 3117,
        "credential_status": "No credentials given. Can use the following role_account_id and role_external_id to create cross-account role within AWS.",
        "role_account_id": "087544996801",
        "cc_external_id": "CC-6D592DC16AE2AE80456FCF34DF984EA5"
    }

  22. From the Windows command prompt, run the following command:
  23. aws iam create-role --role-name example_role_name --assume-role-policy-document file://assume-cross-account-role-policy.json

  24. Attach the full read-only policy to the new role by typing the following at the command prompt:
  25. aws iam put-role-policy --role-name example_role_name --policy-name example_policy_name --policy-document file://full-readonly-policy.json