...
Code Block |
---|
AWSTemplateFormatVersion: 2010-09-09
Description: 'Zilla SSO Reader Role to sync SSO users, groups and permission sets'
Parameters:
ZillaSSOReaderRoleName:
Type: String
Description: 'Provide a role name (Example: Zilla-SSO-Reader-Role)'
AllowedPattern: '[-_a-zA-Z0-9]*'
Default: Zilla-SSO-Reader-Role
ZillaExternalID:
Type: String
Description: 'Provide an ExternalID (Example: Xoih821ddwf)'
MinLength: '1'
AllowedPattern: '[a-zA-Z0-9\=\,\.\@\:\/\-_]*'
Default: zillasecurity.com
ConstraintDescription: >-
ExternalID must contain alphanumeric characters and only these special
characters are allowed =,.@:/-.
ZillaAccountId:
Description: >-
Zilla AWS account ID that is allowed to assume this IAM role. Avoid
changing!
Type: String
#region specific default value for account ID: US/087210011007, EU/319105906071, ANZ/868976368166
Default: '087210011007'
Resources:
ZillaIAMRole:
Type: 'AWS::IAM::Role'
DeletionPolicy: 'Retain'
Properties:
RoleName: !Ref ZillaSSOReaderRoleName
Description: 'IAM Role to allow Zilla to read SSO Users, Groups and Permission Sets.'
ManagedPolicyArns:
- 'arn:aws:iam::aws:policy/AWSSSOReadOnly'
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
AWS: !Sub
- 'arn:aws:iam::${ZillaAccountId}:root'
- ZillaAWSAccountId: !Ref ZillaAccountId
Action:
- 'sts:AssumeRole'
Condition:
StringEquals:
'sts:ExternalId': !Ref ZillaExternalID
Policies:
- PolicyName: zilla-sso-reader-policy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Resource: '*'
Action:
- identitystore:Describe*
- identitystore:List*
Metadata:
'AWS::CloudFormation::Designer':
id: a1259fc6-a6fe-4e2d-af45-7299bdcf7bc8
Metadata:
'AWS::CloudFormation::Interface':
ParameterGroups:
- Label:
default: Zilla Account Information
Parameters:
- ZillaSSOReaderRoleName
- ZillaExternalID
Outputs:
ZillaSSOReaderRoleARN:
Value: !GetAtt ZillaIAMRole.Arn
Description: Zilla SSO Reader Role ARN
|
...
Create stack for Zilla-SSO-Reader-Role in Management Account
Go to CloudFormation stack and click
Create stack
.Select
Template is ready
and upload the Zilla-SSO-Reader-Role template in the .yml file from local.Give a name to the stack and add the parameter values.
ZillaSSOReaderRoleName
should beZilla-SSO-Reader-Role
.ZillaExternalID
should be your company domain name. For example: If your company’s domain name isexample.com
, then enter the value asexample.com
.ZillaAccountId
should be region specific Zilla’s Account ID:US region Account ID: 087210011007
EU region Account ID: 319105906071
Australia/New Zealand region Account ID: 868976368166
Click
...
Next
.Click
Next
on Configuration stack options page.Review the details and click
Create stack
.Check the status of the stack. Go to the Events tab. Wait for the Status to become
CREATE_COMPLETE
.Go to the IAM console. On Roles page search for
Zilla-SSO-Reader-Role
. Copy the Role ARN for configuration in sync settings.