Page Comparison

Access the Roles area in the IAM console and click Create role.

Create a role with the scope Another AWS account and use Account ID:837131528613

Add the policy you created in the previous steps (for example: devo-xaccount-cs-policy)

Give this role a name that you will provide to Devo.

Go to the newly created role and access Trust relationships → Edit trust relationship.

Change the existing policy document to the following, which will only allow for our collector server role to access the policy.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::837131528613:role/devo-xaccount-cs-role"
      },
      "Action": "sts:AssumeRole",
      "Condition": {}
    }
  ]
}

Optionally, you may add an external ID (see more information here). Add in an external ID generated by customer and hand it to Devo as well.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::837131528613:role/devo-xaccount-cs-role"
      },
      "Action": "sts:AssumeRole",
      "Condition": {"StringEquals": {"sts:ExternalId": "ABCDEFGHIJKL0123"}} <-- Change this
    }
  ]
}

For a Devo developer to access your collector, we will need you to add another principal. This will allow us to debug your collector quickly. It will look something like this:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::837131528613:role/devo-xaccount-cs-role"
      },
      "Action": "sts:AssumeRole",
      "Condition": {}
    },
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::staging_account_id837131528613:role/devo-xaccount-cs-role"
      },
      "Action": "sts:AssumeRole",
      "Condition": {}
    }
  ]
}

Click Update Trust Policy to finish.