Create a cross-account IAM role
In order to use role-based authentication, you must create an IAM role on AWS.
Prior to creating a cross-account IAM role on AWS, log in to the CDP web interface and obtain the parameters that need to provide for the IAM role:
- In the Management Console, navigate to Environments > Shared Resources > Credentials > Create Credential:
- Select role-based.
- Note or copy the Cross-account Access Policy, Account ID, and
External ID listed here:
You will need them to complete the following steps.
- Log in to the AWS Management Console.
Navigate to the IAM console > Roles and click Create
- In the “Create Role” wizard, select Another AWS account role type. Next, provide
- In the Account ID field, copy and paste your Account ID provided in CDP.
- Under Options, check Require external ID and under External ID, copy and paste the External ID from CDP.
- When done, click Next: Permissions to navigate to the next page in the wizard.
- Click Create policy and the create policy wizard will open in a new browser tab:
Select the JSON view, and copy and paste the policy definition. You can
either copy it from the Management Console web interface or from aws-cb-policy.json:
- When done, navigate to Review policy.
On the Review policy page, in the Name field, enter a name for
- When done, click Create Policy.
- Return to the previous browser tab where you started creating a new role (since the create policy wizard was opened in a new browser tab).
- Click Refresh.
Find the policy that you just created and select it by checking the box:
- When done, click Next: Review.
In the Roles name field, enter role name.
- When done, click Create role to finish the role creation process.
Obtain the IAM Role ARN. You will need it to create a role-based
Once you are done creating the IAM role on AWS, create a role-based credential in CDP.