Hi Folks,
I am trying to set up access to resources across AWS accounts using serverless. I am using serverless to deploy resources in a child account and need access to services in the parent account. For testing purposes I have created a role in the parent account that has the AdministratorAccess IAM policy attached to it. The child serverless.yml file looks like this:
service: test-service
frameworkVersion: '2'
custom:
stage: dev
crossAccountAccessRoleName: ${self:service}-${self:custom.stage}-crossAccountAccessRole
provider:
name: aws
runtime: nodejs12.x
resources:
Resources:
crossAccountAccessRole:
Type: AWS::IAM::Role
Properties:
RoleName: ${self:custom.crossAccountAccessRoleName}
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
Action: sts:AssumeRole
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole
Policies:
- PolicyName: crossAccountAccessPolicy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- logs:CreateLogGroup
- logs:CreateLogStream
- logs:PutLogEvents
Resource:
- 'Fn::Join':
- ':'
- - 'arn:aws:logs'
- Ref: 'AWS::Region'
- Ref: 'AWS::AccountId'
- 'log-group:/aws/lambda/*:*:*'
- Effect: 'Allow'
Action:
- 's3:PutObject'
Resource:
Fn::Join:
- ''
- - 'arn:aws:s3:::'
- 'Ref': 'ServerlessDeploymentBucket'
functions:
crossAccountFunc:
handler: apiCrossAccountFunc.handler
role: crossAccountAccessRole
After creating the new role using serverless I took the ARN of the newly created role and added it as a trusted relationship on the parent’s role. The crossAccountFunc calls listBucket on a named bucket that is located in the parent account, however fails as its unauthorised. Any ideas?