Template for Zilla-SSO-Reader-Role
Save the below template in a file with extension .yml
. For example zilla-sso-reader-role-template.yml
.
AWSTemplateFormatVersion: 2010-09-09 Description: 'Zilla SSO Reader Role to sync SSO users, groups and permission sets' Parameters: ZillaSSOReaderRoleName: Type: String Description: 'Provide a role name (Example: Zilla-SSO-Reader-Role)' AllowedPattern: '[-_a-zA-Z0-9]*' Default: Zilla-SSO-Reader-Role ZillaExternalID: Type: String Description: 'Provide an ExternalID (Example: Xoih821ddwf)' MinLength: '1' AllowedPattern: '[a-zA-Z0-9\=\,\.\@\:\/\-_]*' Default: zillasecurity.com ConstraintDescription: >- ExternalID must contain alphanumeric characters and only these special characters are allowed =,.@:/-. ZillaAccountId: Description: >- Zilla AWS account ID that is allowed to assume this IAM role. Avoid changing! Type: String Default: '087210011007' Resources: ZillaIAMRole: Type: 'AWS::IAM::Role' DeletionPolicy: 'Retain' Properties: RoleName: !Ref ZillaSSOReaderRoleName Description: 'IAM Role to allow Zilla to read SSO Users, Groups and Permission Sets.' ManagedPolicyArns: - 'arn:aws:iam::aws:policy/AWSSSOReadOnly' AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: AWS: !Sub - 'arn:aws:iam::${ZillaAccountId}:root' - ZillaAWSAccountId: !Ref ZillaAccountId Action: - 'sts:AssumeRole' Condition: StringEquals: 'sts:ExternalId': !Ref ZillaExternalID Policies: - PolicyName: zilla-sso-reader-policy PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Resource: '*' Action: - identitystore:Describe* - identitystore:List* Metadata: 'AWS::CloudFormation::Designer': id: a1259fc6-a6fe-4e2d-af45-7299bdcf7bc8 Metadata: 'AWS::CloudFormation::Interface': ParameterGroups: - Label: default: Zilla Account Information Parameters: - ZillaSSOReaderRoleName - ZillaExternalID Outputs: ZillaSSOReaderRoleARN: Value: !GetAtt ZillaIAMRole.Arn Description: Zilla SSO Reader Role ARN
Create stack for Zilla-SSO-Reader-Role in Management Account
Go to Cloud formation stack and create stack
Select
Template is ready
. And upload the Zilla-SSO-Reader-Role template as in a yml file from local.Give a name to the stack and add the parameter values.
ZillaSSOReaderRoleName
should beZilla-SSO-Reader-Role
.ZillaExternalId
should be your company domain name. For example: If your company’s domain name isexample.com
, then enter the value asexample.com
.ZillaAccountId
should be087210011007
Click onNext
.Click
Next
on Configuration stack options page.Review the details and create the stack.
Check the status of the stack. Go to the Events tab. Wait for the Status to become
CREATE_COMPLETE
.