Create a new Makefile in the infrastructure git project with the following content:
AWS_REGION := eu-central-1
###############################################################################################
.PHONY: log-archive-iam-roles
log-archive-iam-roles:
aws cloudformation deploy \
--no-fail-on-empty-changeset \
--template-file log-archive/iam-roles.yml \
--stack-name iam-roles \
--parameter-overrides MasterAccountId=$(shell aws organizations describe-organization --query 'Organization.MasterAccountId' --output text) \
--capabilities CAPABILITY_NAMED_IAM \
--region $(AWS_REGION)
Create a new cloudformation template in log-archive/iam-roles.yml and define your roles in there, eg.:
---
AWSTemplateFormatVersion: 2010-09-09
Description: IAM roles in log-archive AWS account
Parameters:
MasterAccountId:
Type: String
AllowedPattern: '^[0-9]*$'
Description: ID of the master AWS account
Resources:
RoleAdministrator:
Type: AWS::IAM::Role
Properties:
RoleName: Administrator
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
AWS: !Sub 'arn:aws:iam::${MasterAccountId}:root'
Action: sts:AssumeRole
Condition:
Bool:
aws:MultiFactorAuthPresent: true
ManagedPolicyArns:
- arn:aws:iam::aws:policy/AdministratorAccess
Create the Cloudformation stack with the following command in the log-archive AWS account
AWS_PROFILE=myorg-log-archive make log-archive-iam-roles
As we have this new role which enforces MFA usage this should be used for CLI access.
Update the file ~/.aws/config as follows:
[profile myorg-log-archive]
role_arn = arn:aws:iam::${AWS_ACCOUNT_ID}:role/Administrator
mfa_serial = ${MFA_SERIAL}
source_profile = myorg-master
Type in the following command to check if CLI access is working:
AWS_PROFILE=myorg-log-archive aws sts get-caller-identity
The response should look as follows:
{
"UserId": "AROAS6SDLJKFLJDJFDKLFDL:botocore-session-1562431482",
"Account": "20123434555",
"Arn": "arn:aws:sts::20123434555:assumed-role/Administrator/botocore-session-1562431482"
}