We received this question via the Gruntwork Support email alias and felt that it would benefit the community to post the answer here.
Question: We’re setting up access for an external, third-party Development Team to access our DEV environment on the new Gruntwork AWS setup. How do we set up roles for them so that they only have access to that one environment? Also, they may require access to shared and stage at some point in the near future.
Any recommendations that we should be following?
You will have to write some custom code, but the basic idea is:
Add a new module in infrastructure-modules that creates an IAM role called, for example, allow_third_party_dev_from_other_accounts, that can be assumed from other AWS accounts. Attach whatever permissions those devs need to that IAM role (e.g., ec2:* if those devs should be able to access all EC2 resources). Make sure MFA is required to assume the IAM. See the cross-account-iam-roles and iam-policies modules for example code (e.g., you could follow the structure of the allow_dev_access_from_other_accounts IAM role).
Deploy the newly created module in each account in infrastructure-live that the external developers should be able to access.
In the security account, go to the iam-groups module in infrastructure-live/security, find the iam_groups_for_cross_account_access variable, and add to the end of it the ARNs of the new IAM roles you added in the previous step.
In the security account, create an IAM user for each of these external devs. Add these IAM users to the new IAM groups created in the previous step.
These developers will now be able to authenticate to the security account and “switch” to the other accounts the same way as your other developers do. However, the external devs will be limited to the permissions you add to the allow_third_party_dev_from_other_accounts IAM role in the first step.
I hope that helps! If you have any further questions, please let us know.
Matt