Template for Zilla-SSO-Reader-Role
Save the below template in a file with extension .yml
. For example zilla-sso-reader-role-template.yml
.
AWSTemplateFormatVersion: 2010-09-09 Description: 'Zilla SSO Reader Role to sync SSO users, groups and permission sets' Parameters: ZillaSSOReaderRoleName: Type: String Description: 'Provide a role name (Example: Zilla-SSO-Reader-Role)' AllowedPattern: '[-_a-zA-Z0-9]*' Default: Zilla-SSO-Reader-Role ZillaExternalID: Type: String Description: 'Provide an ExternalID (Example: Xoih821ddwf)' MinLength: '1' AllowedPattern: '[a-zA-Z0-9\=\,\.\@\:\/\-_]*' Default: zillasecurity.com ConstraintDescription: >- ExternalID must contain alphanumeric characters and only these special characters are allowed =,.@:/-. ZillaAccountId: Description: >- Zilla AWS account ID that is allowed to assume this IAM role. Avoid changing! Type: String Default: '087210011007' Resources: ZillaIAMRole: Type: 'AWS::IAM::Role' DeletionPolicy: 'Retain' Properties: RoleName: !Ref ZillaSSOReaderRoleName Description: 'IAM Role to allow Zilla to read SSO Users, Groups and Permission Sets.' ManagedPolicyArns: - 'arn:aws:iam::aws:policy/AWSSSOReadOnly' AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: AWS: !Sub - 'arn:aws:iam::${ZillaAccountId}:root' - ZillaAWSAccountId: !Ref ZillaAccountId Action: - 'sts:AssumeRole' Condition: StringEquals: 'sts:ExternalId': !Ref ZillaExternalID Policies: - PolicyName: zilla-sso-reader-policy PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Resource: '*' Action: - identitystore:Describe* - identitystore:List* Metadata: 'AWS::CloudFormation::Designer': id: a1259fc6-a6fe-4e2d-af45-7299bdcf7bc8 Metadata: 'AWS::CloudFormation::Interface': ParameterGroups: - Label: default: Zilla Account Information Parameters: - ZillaSSOReaderRoleName - ZillaExternalID Outputs: ZillaSSOReaderRoleARN: Value: !GetAtt ZillaIAMRole.Arn Description: Zilla SSO Reader Role ARN
Create stack for Zilla-SSO-Reader-Role in Management Account
Go to Cloud formation stack and create stack
Select
Template is ready
. And upload the Zilla-SSO-Reader-Role template as in a yml file from local.Give a name to the stack and add the parameter values.
Review the details and create the stack.