Cross-Account Manager
Cross-Account Manager

Step 3. Onboard Policies and Roles

After you launch the solution in both the master and sub-account, upload the necessary roles and policies to onboard a sub-account. The Cross-Account Manager solution package includes a set of predefined role and policy files that you can use as a framework for onboarding sub-accounts. Go to the GitHub repository to download these files.

  1. Prepare the applicable policy file(s). All policy files used in this solution must be in JSON format and follow the guidelines outlined in the IAM User Guide.

  2. Prepare the applicable YAML-formatted role file(s).

    A sample role.yaml file is shown below.

    roles: - #Role name Prod-Administrator : #Action add or remove action : add #Reference to JSON policy file in custom_policy folder policy : Administrator.json #Optional: apply this role to only accounts in this group accountgroup : production Dev-Administrator : action : add policy : Administrator.json accountgroup : development Read-Only : action : add policy : Read-Only.json

    The accountgroup field is optional. Roles without a specific account group are assigned to all sub-accounts that the solution manages. Roles with an account group will be assigned only to accounts in that group, i.e., accounts with a matching accountgroup value. This helps you create account groupings and apply consistent roles to those accounts.


    You must use unique role names for this solution, even across different account groups.

    This example file will create a CrossAccountManager-Prod-Administrator role that will be assigned to sub-accounts in the production account group. It will also create a CrossAccountManager-Dev-Administrator role that will be assigned to sub-accounts in the development account group, and a CrossAccountManager-Read-Only role that has access to all managed sub-accounts.

  3. Log in to the AWS Management Console of the master account, and open the Amazon S3 console.

  4. In the Amazon S3 configuration bucket (ConfigBucket output from Step 1), choose the custom_policy folder.

  5. Upload the sub-account policy file. Use the solution-generated AWS KMS key to encrypt the object during upload.


    Do not remove JSON policy files from the configuration bucket. The solution refers to them regularly to manage permissions.

  6. Go back to the configuration bucket and choose the role folder.

  7. Upload the sub-account role file. Use the solution-generated AWS KMS key to encrypt the object during upload.

  8. If the upload is successful, the solution will remove the role file from the configuration bucket. Check the role folder to confirm the file was received and removed. (It will remain in the bucket’s version history.) You can also check Amazon DynamoDB to confirm the account record(s) were added successfully.