Access the Roles area in the IAM console and click Create role. Create a role with the scope Another AWS account and use Account ID:837131528613 Add the policy you created in the previous steps (for example: devo-xaccount-cs-policy ) Give this role a name that you will provide to Devo. Go to the newly created role and access Trust relationships → Edit trust relationship. Change the existing policy document to the following, which will only allow for our collector server role to access the policy. Code Block |
---|
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::837131528613:role/devo-xaccount-cs-role"
},
"Action": "sts:AssumeRole",
"Condition": {}
}
]
} |
Optionally, you may add an external ID (see more information here). Add in an external ID generated by customer and hand it to Devo as well. Code Block |
---|
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::837131528613:role/devo-xaccount-cs-role"
},
"Action": "sts:AssumeRole",
"Condition": {"StringEquals": {"sts:ExternalId": "ABCDEFGHIJKL0123"}} <-- Change this
}
]
} |
For a Devo developer to access your collector, we will need you to add another principal. This will allow us to debug your collector quickly. It will look something like this: Code Block |
---|
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::837131528613476382791543:role/devo-xaccount-cs-rolecc"
},
"Action": "sts:AssumeRole",
"Condition": {}
},
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::staging_account_id837131528613837131528613:role/devo-xaccount-cs-role"
},
"Action": "sts:AssumeRole",
"Condition": {}
}
]
} |
Click Update Trust Policy to finish. |