Page Comparison

...

1. Login to the AWS Account via the AWS Management Console

   

   Enter your 12-digit account number. Click Next and then enter your username and password to login

2. Once you are logged in, you will land on the home page with a search bar on top

   

3. On the search bar on top, search for IAM and click on the search result called IAM as shown below

   

4. You will be redirected to the IAM dashboard

   

5. Before creating a role, we will first create a policy that will be assigned to the role. For that click on Policies on the left hand side menu.

   

6. Click on Create policy and click on the JSON tab

   

7. If you want to get just IAM users, enter the following json snippet and click on next. Replace <YOUR_AWS_ACCOUNT_ID> with your 12 digit AWS Account ID.

   Code Block
   language json
   { "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": "iam:GetGroup", "Resource": "arn:aws:iam::<YOUR_AWS_ACCOUNt_ID>:group/*" }, { "Sid": "VisualEditor1", "Effect": "Allow", "Action": "iam:GetAccountAuthorizationDetails", "Resource": "*" } ] }

   

8. For both SSO and IAM Users, enter the following and click on next. Replace <YOUR_AWS_ACCOUNT_ID> with your 12 digit AWS Account ID.

   Code Block

   { "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "sso:ListAccountAssignments", "sso:ListPermissionSetsProvisionedToAccount", "sso:DescribePermissionSet", "iam:GetGroup" ], "Resource": [ "arn:aws:iam::<YOUR_AWS_ACCOUNT_ID>:group/*", "arn:aws:sso:::instance/*", "arn:aws:sso:::permissionSet/*/*", "arn:aws:sso:::account/*" ] }, { "Sid": "VisualEditor1", "Effect": "Allow", "Action": [ "identitystore:DescribeUser", "identitystore:DescribeGroup", "iam:GetAccountAuthorizationDetails" ], "Resource": "*" } ] }

9. Optionally add tags and click next.

   

10. On the review page, enter the name (Zilla-IAM-Reader-Policy) and optionally a description for the policy. Review the permission assigned to the policy and then click on Create policy

    

11. You will a success message like this

    

12. To confirm that the policy is present, you can search for it in the policy search bar. You will see your newly added policy in the list.

    

13. Click on the policy Zilla-IAM-Reader-Policy to double check the assigned permissions

    

    Click on the JSON tab to double check the policy json. (Account ID redacted from screenshot)

    

14. Now that you have created the desired policy, the next step is to create a cross account Role. Click on Roles from the left hand side menu to begin.

    

15. Click on Create Role button to create a new IAM Role. 1st step is to Select type of trusted entity Select Another AWS Account and enter the 12 digit Account ID of Zilla (087210011007) and then click on next.

    

16. On the permissions page, search for the policy we created Zilla-IAM-Reader-Policy and the select the checkbox. Then click next.

    

17. Optionally add tags. Click next.

    

18. On the review page, add the name of the role Zilla-IAM-Reader-Role and optionally add a description. Review the trusted entity account id matches Zilla’s account Id (087210011007) and that the policies has Zilla-IAM-Reader-Policy then click on Create role

    Image RemovedImage Added

    Once the role is created, you can search for it on the roles tab and click on the role to check its details

    

19. On the role details page, double check the policy under permissions and trusted entity has Zilla Account ID (087210011007) under trusted relationships.

    

    

20. Once everything looks good, copy the Role ARN. For eg: arn:aws:iam::<YOUR_AWS_ACCOUNT_ID>:role/Zilla-IAM-Reader-Role You will need this later when you add the AWS application on Zilla.

...