IaC AWS IAM is a set of example AWS CloudFormation templates for quickly setting up infrastructure pipelines for Cross-Account Access using AWS CodePipeline and GitHub repo as the pipeline trigger/source. Using this setup, IAM users(human users intended) only have to be created once in the jump account(manager account) and then can assume roles to other AWS accounts owned by the same owner(think AWS Organizations). This repository contains cloudformation templates for setting up: IAM Users, IAM Groups and IAM Roles for those who:
- have multiple AWS accounts and want to manage & roll out all human users automatically (Continuous deployment).
- want to setup multiple AWS accounts from scratch and looking to implement cloudformation templates for AWS IAM users, roles and groups.
- AWS IAM: Identity and Access Management service for accessing AWS services
- AWS CloudFormation: Infrastructure as Code Service for creating AWS resources. Yaml as the templates language
- AWS CodePipeline: Continuous Delivery Service by AWS, used here to automatically deploy any changes pushed to the source git repository.
- manager-account: Main AWS account which only has IAM Groups and Users and acts as a jump account.
- managed-accounts: Team/Project & environment wise AWS accounts e.g. development-staging or androidApp-production.
- jump account: Another name for manager account.
User Login: Login to manager account -> Assume role to a managed account based upon group membership
iac-aws-iam
│
├── README.md
├── managed-accounts
│ └── project1-production
│ ├── pipeline.yaml
│ └── roles.yaml
└── manager-account
├── groups-admin.yaml
├── pipeline.yaml
└── users.yaml
Following two types of pipelines will be setup using only the already defined resources in templates:
- IAM Roles Pipeline: Should be setup first in the managed account(s) so the IAM groups referencing to
AssumeRoleof the relevant role will not point to a non-existent resource. Each AWS account should have its own pipeline for setting up roles. - IAM Users and Groups Pipeline: Has to be setup once in the main/manager account.
- Rename
project1-productionas desired and add all the aws accounts as directories under:managed-accounts- Also adjust the
TemplatePathvalues accordingly in pipeline.yaml.
- Also adjust the
- Replace the example AWS account ID
012345678901inproject1-productionand subsequently for all managed accounts you want to use. - Create the pipeline stack in AWS CloudFormation console or via api/cli using
managed-accounts/project1-production/pipeline.yamlwhich will setup the roles stack itself. See this for how to do that. - Provide your GitHub token for the parameter value. Check this guide for details on how to generate one.
- Update/add the example account ID mappings in
groups-admin.yaml. Create more group templates if desired using this file and name appropriately e.g.groups-developer.yamlorgroups-readonly.yaml. Also change project names as desired and adjustGroupNameand Output Export values accordingly. - Add more list items under
ActionunderGroup-Stagein the pipeline with correctTemplatePathfor each new template added(assuming more group templates were created in above step). - Add more IAM users in the
users.yamlas desired and adjust passwords and group memberships.- Important The
GroupNameattribute is being imported from the IAM groups stack so the names must match.
- Important The
- Login to manager account and create the pipeline stack using
manager-account/pipeline.yamland provide GuitHub access token again.
Once the pipelines finish, the users should be able to login using their one-time passwords and can then assume roles into various AWS accounts as defined by the IAM groups they are members of.
Here are some documentation links which can be used as references:
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-codepipeline-pipeline.html
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/best-practices.html
https://docs.aws.amazon.com/codepipeline/latest/userguidereference-pipeline-structure.html#pipeline-requirements