Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

Template for Zilla-SSO-Reader-Role

Save the below template in a file with extension .yml . For example zilla-sso-reader-role-template.yml .

AWSTemplateFormatVersion: 2010-09-09
Description: 'Zilla SSO Reader Role to sync SSO users, groups and permission sets'
Parameters:
  ZillaSSOReaderRoleName:
    Type: String
    Description: 'Provide a role name (Example: Zilla-SSO-Reader-Role)'
    AllowedPattern: '[-_a-zA-Z0-9]*'
    Default: Zilla-SSO-Reader-Role
  ZillaExternalID:
    Type: String
    Description: 'Provide an ExternalID (Example: Xoih821ddwf)'
    MinLength: '1'
    AllowedPattern: '[a-zA-Z0-9\=\,\.\@\:\/\-_]*'
    Default: zillasecurity.com
    ConstraintDescription: >-
      ExternalID must contain alphanumeric characters and only these special
      characters are allowed =,.@:/-. 
  ZillaAccountId:
    Description: >-
      Zilla AWS account ID that is allowed to assume this IAM role. Avoid
      changing!
    Type: String
    Default: '087210011007'
Resources:
  ZillaIAMRole:
    Type: 'AWS::IAM::Role'
    DeletionPolicy: 'Retain'
    Properties:
      RoleName: !Ref ZillaSSOReaderRoleName
      Description: 'IAM Role to allow Zilla to read SSO Users, Groups and Permission Sets.'
      ManagedPolicyArns:
        - 'arn:aws:iam::aws:policy/AWSSSOReadOnly'
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              AWS: !Sub 
                - 'arn:aws:iam::${ZillaAccountId}:root'
                - ZillaAWSAccountId: !Ref ZillaAccountId
            Action:
              - 'sts:AssumeRole'
            Condition:
              StringEquals:
                'sts:ExternalId': !Ref ZillaExternalID
      Policies:
          - PolicyName: zilla-sso-reader-policy
            PolicyDocument:
              Version: '2012-10-17'
              Statement:
                - Effect: Allow
                  Resource: '*'
                  Action:
                    - identitystore:Describe*
                    - identitystore:List*
    Metadata:
      'AWS::CloudFormation::Designer':
        id: a1259fc6-a6fe-4e2d-af45-7299bdcf7bc8
Metadata:
  'AWS::CloudFormation::Interface':
    ParameterGroups:
      - Label:
          default: Zilla Account Information
        Parameters:
          - ZillaSSOReaderRoleName
          - ZillaExternalID
Outputs:
    ZillaSSOReaderRoleARN:
      Value: !GetAtt ZillaIAMRole.Arn
      Description: Zilla SSO Reader Role ARN

 

Create stack for Zilla-SSO-Reader-Role in Management Account

  1. Go to Cloud formation stack and create stack

     

  2. Select Template is ready. And upload the Zilla-SSO-Reader-Role template as in a yml file from local.

     

  3. Give a name to the stack and add the parameter values.

     

  4. Review the details and create the stack.

  • No labels