AWS Cross-Account IAM Roles in CloudFormation

The AWS documentation is relatively sparse when it comes to creating specific IAM role types using CloudFormation. It describes the process of setting up standard roles, attaching roles to instances, etc. but doesn't mention that all of the other role types can also be created using CloudFormation.

For example, when you log into the AWS console and click on "IAM," you see a number of different roles you can create:

AWS Service Roles

Role for Cross-Account Access

Role for Identity Provider Access

However, these role types are merely just different adaptations of the same concept. In the following steps, I'll show how to create a Cross-Account Role using CloudFormation.

1. Add the following to the "Resources" section of your CloudFormation template:

"CrossAccountRole" : {

"Type" : "AWS::IAM::Role",

"Properties" : {

"AssumeRolePolicyDocument" : {

"Statement" : [

{

"Effect" : "Allow",

"Principal" : {

"AWS": "arn:aws:iam::ACCOUNT_NUMBER_HERE:root"

},

"Action" : [

"sts:AssumeRole"

]

}

]

}

}

},

2. Add another resource for the policy:

"CrossAccountPolicy" : {

"Type" : "AWS::IAM::Policy",

"Properties" : {

"PolicyName" : "IAMInstancePolicy",

"PolicyDocument" : {

"Statement" : [

{

"Effect" : "Allow",

"Action" : [

"*"

],

"Resource" : [

"*"

]

}

]

},

"Roles" : [

{ "Ref" : "CrossAccountRole" }

]

}

},

3. Adjust the account number and resources as needed:

This policy gives admin access to any account you specify. To restrict permissions, change the statement section of the policy document as desired.