awslabs / aws-deployment-framework

The AWS Deployment Framework (ADF) is an extensive and flexible framework to manage and deploy resources across multiple AWS accounts and regions based on AWS Organizations.
Apache License 2.0
662 stars 225 forks source link

Document trust policy and permissions for the cross-account-access Role #340

Closed benbridts closed 4 months ago

benbridts commented 3 years ago

We already have a process to provision accounts, and are going to use a separate role dedicated to ADF for the bootstrap provisioning.

It would be great if the documentation would mention:

From a quick look at the code, it seems that some of the required permissions are:

For "generic accounts":

For the deployment account:

For the management account:

It might also be possible to move some things around / work with tags so that names are more predictable, and this becomes easier to write (eg. putting all Parameters under /adf/ )

sbkok commented 4 months ago

Thank you for your patience. I am pleased to inform you that this issue has been resolved in our latest release v4.0.0 just now. v4.0.0 changed the permissions used by ADF significantly. Please take a look at the release notes to learn more. I'm hereby closing this issue. Please open a new issue if you are experiencing any issues with the latest release. Or reopen if you think this needs to be addressed differently.