Last active
November 5, 2024 13:53
-
-
Save inbinder/86f41216b1463aeb7958df38a40f5312 to your computer and use it in GitHub Desktop.
Demo of assuming roles so that your Gitlab runner etc can use one account and assume roles and privileges in others
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| data "aws_caller_identity" "current" {} | |
| locals { | |
| builder_account_id = "000000000001" # Where the Builder agents run | |
| infra_account_id = "000000000002" # Where stuff gets built | |
| distro_account_id = "000000000003" # Where stuff gets built | |
| } | |
| resource "aws_iam_role" "terraform_role" { | |
| name = "cross_account_terraform_role" | |
| assume_role_policy = jsonencode({ | |
| Version = "2012-10-17" | |
| Statement = [ | |
| { | |
| Action = "sts:AssumeRole" | |
| Effect = "Allow" | |
| Principal = { | |
| AWS = [ | |
| "arn:aws:iam::${local.main_account_id}:root", | |
| "arn:aws:iam::${data.aws_caller_identity.main.account_id}:root" | |
| ] | |
| } | |
| } | |
| ] | |
| }) | |
| tags = { | |
| Service = "iam" | |
| } | |
| } | |
| resource "aws_iam_role_policy_attachment" "terraform_role_policy" { | |
| role = aws_iam_role.terraform_role.name | |
| policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess" | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment