Lucidum’s community edition is a fully self-service product. In as little as one hour it can provide full visibility of assets, users, and data in your AWS environment. To get started, simply apply for a free license key on the Lucidum website (https://lucidum.io/communitylicense/) and launch the virtual machine to start data injection . Once you get started, there are a number of different use cases for this self-service product such as capacity and cost optimization, risk assessment, and compliance enforcement.
One of the most critical steps in the setup process is configuring cross-account role access using AssumeRole. In this blog, we explain how to automate the cross-account role assuming process on AWS using Terraform code. We also make the terraform codes available to the open-source community.
Overcoming Account Access Obstacles
The need to execute code in multiple accounts is a common problem in the Amazon ecosystem, but one we needed to overcome since the Lucidum platform injects data from many sources, including different Amazon accounts. The Amazon AssumeRole mechanism supports cross-account code execution, but the question of how roles are deployed across these accounts can be challenging. There are existing solutions, such as Amazon Control Tower and/or Amazon Organizations, but they require existing configuration, and many customers do not have these in place. To meet the needs of the greatest number of existing configurations, we created a solution that simply loops thru a list of AWS CLI Profiles.
AWS CLI Profiles are a native Amazon way of connecting to different AWS Accounts, or “Profiles.” By leveraging Terraform, we can loop thru these profiles and execute the Terraform code in each account. For our purposes, each loop iteration creates a role under each AWS account, with inline policy, that is assumed by our product. The role-assuming process allows the main account to access resources of additional accounts so the Lucidum EC2 instance under the main account will have permission to collect data from additional AWS accounts, as illustrated below.
This solution can also be leveraged to create any number or type of resources, not just roles to be assumed. For instance, this profile looping mechanism can be used to deploy an EC2 virtual machine instance, across many accounts, regardless of their Control Tower or Organizations membership.
Terraform is a cloud agnostic Infrastructure-as-Code solution. Lucidum’sTerraform template is instantiated for each AWS Profile, or account, and then each Terraform root is executed. The result is ensuring the resources defined in the Terraform template become realized in each AWS account that is defined.
This profile looping solution can be useful for many different use cases, regardless of whether a role being assumed is deployed in each AWS account or any other resources. This solution allows resources to be created in different Amazon accounts, even when the accounts belong to different Control Tower / Organizations hierarchies.
Hopefully this Amazon Profile looping mechanism will be useful to the greater open-source community. The code can be found here: https://github.com/LucidumInc/lucidum-deployment-seed/tree/master/x_account_assume_role .
We’d love to hear your feedback, comments, or questions and we’re sure others would too. Please let us know what you think on our community forum (https://lucidum.io/forums/).