We are working with a multiple account approach and I’m going to deploy serverless applications that execute lambdas in different accounts, copy rds snapshots between accounts etc.
I deploy a serverless application to account A. This application includes a Lambda, that needs to assume a role in account B, so I can fetch the status of EC2-Instances in Account B.
It would be ideal if it would be possible to describe all roles/ policies from both accounts in one single serverless.yml file.
Is this somehow possible? Are there workarounds or different approaches/ best practices?
Sorry, I’m not bringing much of a solution to the table but very interested into what could come into this discussion.
Like in your case, we are also following a multi-account strategy and using serverless for holding our logic and define the required infrastructure.
Matter of fact is that we’ve just released a small product to production. The main account being completely defined with serverless, but we’ve left the management of the “child” account to a separate process.
This secondary account is purely infrastructure (no lambdas) so it’s kind of ok to manage it manually as an independent CFN stack.
We do have to create IAM roles and policies in this secondary account and add the lambda principals of the main account as trusted entities.
Ideally, I would love to be able to have a breakdown of several services with their inter-dependencies being able to be defined (and more importantly deployed) in a consistent manner across environments via serverless.
There are a number of already on-going feature requests that I’d say could help greatly towards this goal.
Essentially, they are all targeted at being able better integration and easier management of the underlying CFN infrastructure.
There might be a case for a plugin that could wrap some of this requirements together. However, my knowledge of the internals of serverless is limited to envisage what could potentially be the path of least resistance.
Any potential hacks from other users, or guiding input from serverless folks would be most welcome