Cross account ASG access

[mightymouse2045]

Hi - as you would be aware it is simple to specify an account when using the aws cli.

I would like to be able to configure the account as a variable as you have allowed for with the region. So in the IAM role that is assigned to the instance I can allow access to the EC2 ASG in the specified account to read and update the upstream with the IP's of the ASG in the account specified.

Is this something you could add fairly easily?

[mightymouse2045]

I have just tested this. An easy way to implement this would be to allow to specify an optional aws cli profile name under each upstream. This would then require the following:

1. The user running the service (is it root or nginx?) - requires ~/.aws/config file with the following entry:

[profile someProfileName] role_arn = arn:aws:iam::123456789012:role/marketingadminrole credential_source = Ec2InstanceMetadata

2. Update to the instance IAM role to allow assume role access to the role specified in the profile above
3. Update the trust policy for the role in the other account to allow the nginx IAM role to assume it
4. Your code would then have to be updated to allow specifying the profile to use, so when running the ec2 or autoscaling commands it would be listing the ec2 instances from the other account

[mightymouse2045]

any updates on this at all?

[vepatel]

Hey @mightymouse2045 we looked at this issue and would like to know if you'll be interested in creating a PR with documentation?

[lucacome]

@mightymouse2045 I opened a PR for this #730, would you be able to test it?