AWS Partner Network (APN) Blog

Easing the Creation of Cross-Account Roles for Customers

By Erin McGill, Partner Solutions Architect – AWS

AWS Partners frequently ask me about the most secure way to access resources in a customer account. While this is possible using keys – secrets that are hard to manage, rotate, and ideally, should never be shared. We recommend that AWS Partners use a more secure method: cross-account roles.

We have previously covered how to securely access customer AWS accounts using cross-account IAM roles by describing a manual process. To manually create a cross-account IAM role, the APN Partner needs to provide their account number and unique customer external ID to the customer, then the customer needs to create the role and attach the necessary policies to that role for the partner solution to access the AWS services in their own AWS account, and, finally, the user needs to provide the ARN for the role back to the partner.

While the process works, feedback from some of our partners is that this process can be complicated and confusing to implement for customers.

A way to simplify cross-account creation is to use AWS CloudFormation with a custom launch stack URL. CloudFormation can create IAM roles, and custom launch stack URLs are an easy way to help the customer launch the CloudFormation stack. At AWS, we use launch stack URLs with our sample templates to enable our customers to quickly launch the templates and think that this will help to make keeping your customers’ accounts secure easier.

By providing the launch stack URL, you can easily add the creation of a cross-account role into you customer’s onboarding workflow.

Use the syntax:

In the URL, you need to provide:

  • region: the desired region to launch the CloudFormation stack. If you do not specify a region, the users will be directed to the last region they used. The IAM service is global, so the Region you select for your customers can be anywhere within the AWS ecosystem.
  • stack_name: The stack name is a helpful description of the CloudFormation stack, like MyCompanyCrossAccountIAMRole. A stack name can contain only alphanumeric characters (case sensitive) and hyphens. It must start with an alphabetic character and cannot be longer than 128 characters.
  • template_location: The template URL is the publicly accessible Amazon S3 location for your CloudFormation template that describes your cross-account role and permissions.

Here is an example of a completed link:

When the customer launches the stack, the template location URL and stack name will already be filled in for them. They will only need to verify the parameters. Check the box to acknowledge that AWS CloudFormation will create IAM resources, and click create.

By using CloudFormation, we can also call custom resources to deliver the output ARN of the role, or the success or failure of the stack creation back to your portal, trigger other workflows, but most importantly, ease the customer onboarding experience.

Check out post two in our series, "Generating Custom AWS CloudFormation Templates with Lambda to Create Cross-Account Roles", to explore the use of custom CloudFormation templates to further streamline the onboarding process!

Do you have any questions or comments? Let us know in the comments section, and keep an eye out for a number of additional posts to be published on this topic.