AWS SSO - Account Acccess Pattern/Automation

53 views Asked by At

I have a new AWS management account with SSO set up. I am not clear on how I can give access to some "user" which will be used to run terraform. What I would like to do is create a role in each non-management account. Then in the management account create a group, with a policy that allows any user in that group to assume the role in any "non-mangement" account.

However, in the "non-management" account, I am not able to set the trust policy to allow a "group" to assume the role, it seems like only individual users are allowed. However, this means in the management account, whenever I add a user, I have to manually then come into each "non-management" account and update the trust policy to now allow this new user to assume the role as well. Obviously, this isn't ideal, and I'm sure theres a simpler way to automate this.

Or is this even the best approach to doing this ? I've also tried the hub and spoke approach with a single non-sso user in the management account. This works, but somehow seems like its not a clean approach.

0

There are 0 answers