You can optionally use Commander to manage AWS accounts besides the one where the Commander application is running. You can add these extra accounts to Commander using static keys, but we recommend that Commander assumes a role in the other accounts. To do so, you must configure a trust relationship between the Commander account and the other accounts.
Configure an IAM role in each AWS account that Commander will manage
In each account that Commander will manage, create a role for Commander to assume. This role enables Commander to view all resources in the account and to manage specific resources in the account.
- Sign in to AWS IAM Role Management as an administrator of an account that Commander will manage.
- Create an IAM role with a name such as "cmdrRoleToAssume".
- Attach the following policies to the role:
- The
ReadOnlyAccesspolicy, to allow Commander read-only access to all resources in the account. - A policy that grants Commander administrative permission to manage specific resources in the account. A policy is provided in that you can save as a .json file. Note that while you may customize these permissions, Commander must have administrative permissions in order to manage resources in the account.
- The
- On the Trust relationships tab, click Edit Trust Relationship. In the Policy Document window, paste the following trust policy, replacing XXXXXXXXXXXX with the ID of the account where Commander will be deployed, and replacing
vCmdrInstanceProfileRolewith the name of the role you created for the EC2 instance:{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::XXXXXXXXXXXX:role/vCmdrInstanceProfileRole", "Service": "ec2.amazonaws.com" }, ;"Action": "sts:AssumeRole" } ] } - Repeat these steps for each account that Commander will manage.
Grant permissions for Commander to assume a role in other accounts
Now that you’ve created one or more roles for Commander to assume, create a policy that specifies these roles.
- Sign in to AWS IAM Role Management as an administrator of the account where Commander will be deployed.
- To the Instance Profile role that you created earlier, attach a policy that specifies the role Commander will assume for each account it will manage.
The following example shows what this policy looks like if Commander will manage two accounts with IDs 1234567891234 and 9876543219876, and will assume the role named “cmdrRoleToAssume” in both accounts.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "arn:aws:iam::1234567891234:role/cmdrRoleToAssume" } { "Sid": "VisualEditor0", "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "arn:aws:iam::9876543219876:role/cmdrRoleToAssume" } ] }If you want to allow Commander to manage all of your AWS accounts, create a role with the same name in each account. Then the policy can consist of a single block where the account number is replaced with three asterisks (***).
Snow Software does not own the third party trademarks, software, products, or tools (collectively, the “Third Party Products”) referenced herein. Third Party Product updates, including user interface updates, may not be reflected in this content.
