Attaching Multiple AWS Accounts to a Stack

Overview

To manage resources across multiple AWS accounts within a single stack, you can configure cross-account permissions or set up the AWS Terraform provider to assume roles in each target account. This guide explains two primary methods for attaching multiple AWS accounts to a Spacelift stack.

Options:

Option 1: Use Spacelift Cloud Integration with Cross-Account Permissions

By configuring a Spacelift Cloud Integration associated with an IAM role in a shared services account (e.g., acct-ss), you can enable this role to assume IAM roles in other AWS accounts (e.g., Account A and Account B). This approach uses cross-account permissions to allow a single integration to manage multiple target accounts.

Steps:

1. Create an IAM Role with Cross-Account Permissions
   In your shared services account, create an IAM role with permissions to assume roles in each target account. This role should have the necessary permissions for the resources you intend to manage.

2. Establish Cross-Account Trust
   In each target account (e.g., Account A and Account B), create IAM roles with permissions for the required resources. Configure these roles to trust the IAM role in your shared services account. This trust relationship allows the Spacelift integration to assume roles in the target accounts.

3. Create a Spacelift Integration
   In Spacelift, set up a Cloud Integration associated with the IAM role in the shared services account. Learn more about creating AWS integrations in Spacelift.

This method enables a single integration to control multiple AWS accounts securely.

• For more information on setting up cross-account roles, refer to AWS's tutorial on cross-account permissions.

Option 2: Configure the AWS Terraform Provider to Assume Roles in Each Account

Another approach is to use the AWS Terraform provider's assume_role configuration block to specify roles for each target account. This method allows the Terraform provider to switch between accounts by assuming different IAM roles within your stack configuration.

Steps:

1. Set Up IAM Roles in Each Target Account
   In each target AWS account, create IAM roles with the necessary permissions for managing resources. Ensure these roles can be assumed by your shared services account (or another account holding your primary credentials).

2. Configure the AWS Terraform Provider in Your Stack
   In your Terraform configuration, use the assume_role block within the AWS provider to specify roles for each target account.

3. Reference Providers in Your Resources
   Assign resources to specific providers by specifying the provider alias, allowing Terraform to manage resources across multiple AWS accounts.

   • For more details on the assume_role configuration block, see the AWS Terraform provider documentation.

Summary

To manage multiple AWS accounts in a single Spacelift stack, you can:

• Set up a Spacelift Cloud Integration with cross-account permissions for each target account.

• Use the AWS Terraform provider’s assume_role block to switch roles within your Terraform configuration.

These methods enable streamlined, cross-account management while maintaining secure and compliant access control. For further guidance, please reach out to Spacelift Support.