Hello,
Following is an example/scenario of how to configure the roles, permissions and policies in the source and target accounts.
Source/Main Account:
- This is where your Morpheus appliance is hosted
- Attach a role to this appliance (EC2 instance)
- Then attach permissions policies and trusted entities to this role
Permissions Policy:
This IAM policy grants permission to assume a role (sts:AssumeRole) in another AWS account (arn:aws:iam::*:role/<role_created_in_target_account>) with the condition that the provided external ID (sts:ExternalId) matches <externalId_generated_in_target_account>. This policy is typically used when you want to establish a trust relationship between two AWS accounts and allow cross-account access with an additional layer of security provided by the external ID. Make sure to replace <role_created_in_target_account> with the actual name of the role you want to allow access to, and <externalId_generated_in_target_account> with the generated external ID that is used for additional verification during the role assumption process.
Example:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sts:AssumeRole"
],
"Resource": [
"arn:aws:iam::*:role/<role_created_in_target_account>"
],
"Condition": {
"ForAnyValue:StringEqualsIfExists": {
"sts:ExternalId": "<ExternalId_generated_in_target_account>"
}
}
}
]
}
Trusted Entity:
This IAM policy allows the EC2 service in your AWS account to assume roles (sts:AssumeRole). This is typically used when you want EC2 instances to have specific permissions or access resources in other AWS services. With this policy, any EC2 instance in your account can assume roles, granting it temporary permissions to perform actions allowed by the assumed role’s policies.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
Target/Child Account:
-
Create the IAM Role named example DG_TestSandCoderExt which is defined in the main account’s permission policy
-
Then attach a permissions policy and trusted entity to this role
Permissions Policy:
This is the minimum MinimumIAMPolicies required for Morpheus services.
Example:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"kms:Decrypt",
"rds:*",
"cloudwatch:DeleteAlarms",
"route53:GetHostedZone",
"autoscaling:*",
"cur:PutReportDefinition",
"cloudformation:DescribeStackEvents",
"route53:ListResourceRecordSets",
"cloudformation:UpdateStack",
"es:DescribeElasticsearchDomains",
"s3:*",
"route53:ListHostedZones",
"route53:ChangeResourceRecordSets",
"cloudformation:DescribeStackResources",
"cloudformation:*",
"iam:ListRoles",
"elasticloadbalancing:*",
"ssm:GetParameters",
"iam:ListInstanceProfiles",
"cloudwatch:GetMetricStatistics",
"cloudformation:DescribeStacks",
"cloudwatch:PutMetricAlarm",
"es:ListDomainNames",
"cloudformation:CreateStack",
"cloudformation:GetTemplate",
"cloudformation:DeleteStack",
"cloudwatch:DescribeAlarms",
"kms:GenerateDataKey",
"ec2:*",
"iam:ListGroups",
"ce:*",
"eks:*",
"cloudformation:ValidateTemplate",
"cur:DescribeReportDefinitions",
"sts:AssumeRole"
],
"Resource": "*"
}
]
}
Trusted Entity:
This IAM policy allows a role (sts:AssumeRole) to be assumed by a principal from a specific AWS account (arn:aws:iam::<SourceAccountId>:role/<role_attached_to_morpheus_appliance_in_source_account>). Additionally, it requires that the assuming role provides a specific external ID (sts:ExternalId) during the role assumption, and the provided external ID must match <ExternalId_generated_while_creating_the_role_in_target_account>. This policy is often used when establishing trust between AWS accounts and enforcing an additional layer of security by requiring a specific external ID during role assumption. Ensure that you replace <SourceAccountId> with the actual AWS account ID of the source account, <role_attached_to_morpheus_appliance_in_source_account> with the name of the role attached to the Morpheus appliance in the source account, and <ExternalId_generated_while creating_the_role_in_target_account> with the generated external ID used during the creation of the role in the target account.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<SourceAccountId>:role/<role_attached_to_morpheus_appliance_in_source_account>"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "<ExternalId_generated_while creating_the_role_in_target_account>"
}
}
}
]
}
Integrate the AWS cloud in Morpheus using the Role ARN of the <role_created_in_target_account> and External ID.
Thanks