AWS Cross-Account Nanns
Another TIL...the hard way. We have an role in our master account that we previously used to AssumeRole another role in all our other accounts to deploy Custodian rules (I love Cloud Custodian btw, you should really give it a go if you, like me, are tired of the cost and failure rate of Config). Anyway, we had not needed to use the role for a while, so I dont know when it happened, but something changed. And of course there is no documentation of it in normal AWS fashion.
We were stumped. The role was working in its previous configuration. When we tried to redeploy some guardrails, it could assume the custodian role in Master, but now all cross account roles we giving an "Access Denied". What we learned is that the role doing the assuming now needs an AssumeRole policy for each role it should be allowed to assume (so, an AssumeRole on both sides). For example, something like this needs to be part of your master role:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowAssumeCustodianMasterrole",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::*:role/whateveryounamed-yourcustodian-role"
}
]
}
Not the end of the world, but would have been nice to know, or seen documented.