Create a cross-account IAM role

In order to use role-based authentication, you must create an IAM role on AWS.

Prior to creating a cross-account IAM role on AWS, log in to the CDP web interface and obtain the parameters that need to provide for the IAM role:
  1. In the Management Console, navigate to Environments > Shared Resources > Credentials > Create Credential:

  2. Select role-based.
  3. Note or copy the Cross-account Access Policy, Account ID, and External ID listed here:

    You will need them to complete the following steps.

  1. Log in to the AWS Management Console.
  2. Navigate to the IAM console > Roles and click Create Role:

  3. In the “Create Role” wizard, select Another AWS account role type. Next, provide the following:
    • In the Account ID field, copy and paste your Account ID provided in CDP.
    • Under Options, check Require external ID and under External ID, copy and paste the External ID from CDP.

  4. When done, click Next: Permissions to navigate to the next page in the wizard.
  5. Click Create policy and the create policy wizard will open in a new browser tab:

  6. Select the JSON view, and copy and paste the policy definition. You can either copy it from the Management Console web interface or from aws-cb-policy.json:

  7. When done, navigate to Review policy.
  8. On the Review policy page, in the Name field, enter a name for your policy:

  9. When done, click Create Policy.
  10. Return to the previous browser tab where you started creating a new role (since the create policy wizard was opened in a new browser tab).
  11. Click Refresh.
  12. Find the policy that you just created and select it by checking the box:

  13. When done, click Next: Review.
  14. In the Roles name field, enter role name.

  15. When done, click Create role to finish the role creation process.
  16. Obtain the IAM Role ARN. You will need it to create a role-based credential:

Once you are done creating the IAM role, you can create a role-based credential in CDP.