Module: organization-access-group
Terraform module to create an IAM Group and Policy to grant permissions to delegated IAM users in the Organization's master account to access a member account
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_access.html
Introduction
By default, when you create a member account as part of your Organization, AWS automatically creates OrganizationAccountAccessRole in the member account.
The role grants admin permissions to access the member account to delegated IAM users in the master account.
In the master account you need to create a Policy to grant permissions to IAM users to assume OrganizationAccountAccessRole in the member account.
This module does the following:
- Creates an IAM Group
- Adds the provided IAM users to the Group
- Creates a Policy to grant permissions to the IAM users in the master account to assume
OrganizationAccountAccessRolein the member account - Attaches the Policy to the Group
Users who are members of the Group will be able to assume the role and administer the member account by going here:
(change XXXXXXXXXXXX to the ID of the member account)
https://signin.aws.amazon.com/switchrole
?account=XXXXXXXXXXXX
&roleName=OrganizationAccountAccessRole
&displayName=Dev
NOTE: Member accounts that you invite to join your Organization (that are not part of your Organization) do not automatically get OrganizationAccountAccessRole created.
You can use terraform-aws-organization-access-role module to create OrganizationAccountAccessRole role in an invited member account.
Usage
module "organization_access_group" {
source = "git::https://github.com/cloudposse/terraform-aws-organization-access-group.git?ref=master"
namespace = "cp"
stage = "dev"
name = "cluster"
user_names = ["User1","User2"]
role_arns = {
"cp@dev" = "arn:aws:iam::XXXXXXXXX:role/OrganizationAccountAccessRole"
}
require_mfa = "true"
}