IAM Role Cross-Account
๐ฆ Overviewโ
This Terraform module provisions an IAM Role for secure cross-account access, enabling controlled delegation of AWS permissions to a trusted external account.
โ Key Featuresโ
- Allows IAM role assumption from a specified AWS account
- Supports attachment of one or more managed policy ARNs
- Includes tagging for environment and organizational traceability
- Follows least-privilege principles to minimize attack surface
๐ผ Use Casesโ
- Grant read-only or audit access to a centralized security team
- Allow CI/CD pipelines in one account to deploy infrastructure in another
- Enable external teams or managed services to operate within specific boundaries
- Support shared services models or compliance architectures
๐ฅ Input Variablesโ
| Name | Type | Description |
|---|---|---|
| region | string | AWS region for deployment |
| role_name | string | Name of the IAM role |
| trusted_account_id | string | AWS Account ID allowed to assume the role |
| attached_policy_arns | list | List of IAM policy ARNs to attach to the role |
| environment | string | Environment tag (e.g., dev, staging, prod) |
๐ค Outputsโ
| Name | Description |
|---|---|
| role_name | Name of the created IAM role |
| role_arn | ARN of the IAM role for cross-account access |
๐ Deployment Readinessโ
- โ Compatible with Terraform 1.0+
- โ Requires AWS Provider 5.x+
- ๐ Requires
iam:CreateRole,iam:PutRolePolicy, andiam:AttachRolePolicypermissions
๐ ๏ธ Example Usageโ
module "iam_role_crossaccount_deployment" {
source = "git::ssh://git@github.com/archiphire/aws-level-1-modules.git//identity/iam-role-crossaccount?ref=v1.0.0"
region = "us-east-1"
role_name = "crossaccount-auditor"
trusted_account_id = "123456789012"
attached_policy_arns = [
"arn:aws:iam::aws:policy/SecurityAudit"
]
environment = "production"
}
terraform init
terraform plan
terraform apply
or
tofu init
tofu plan
tofu apply
๐งน Cleanupโ
Terraform Destroy:
terraform destroy
or
tofu destroy
Manual Deletion (for Production):
aws iam delete-role --role-name crossaccount-auditor
๐ก๏ธ Notesโ
This is a Level 1 identity module built for controlled cross-account delegation.
Ensure the trusted account has appropriate sts:AssumeRole permissions.
Review and rotate trust policies periodically for security assurance.
๐ Deployment Package Noticeโ
This module is part of the Level 1 AWS License Tier.
To access the full deployment package and source code, subscribe to Archiphire.