Hard limit of 10 groups per user in AWS

[rhoboat]

cross-account-iam-roles creates IAM Groups in the master account, which need to be assigned to users as required. Since most devs will need ssh-grunt-sudo-users, ssh-grunt-users, plus _account.-dev, _account.-openvpn-users & _account.-openvpn-admins for every child account, this runs into the hard limit of 10 groups per user with more than 2 child accounts. What is the best way of handling permissions in this case? How can this scale to larger numbers of child accounts?

[rhoboat]

You want to create dedicated cross account groups that group multiple cross account access into one group. This can be done by modifying your cross_account_groups.yml, which we've linked to an example of here.

For example, here is a modified version of that that will create a special group that grants access to openvpn access to all accounts:

cross_account_groups:
  - group_name: "_account.all-openvpn"
    iam_role_arns:
#%{~ for name, id in account_ids }
      - "arn:aws:iam::${id}:role/openvpn-allow-certificate-revocations-for-external-accounts"
#%{ endfor ~}

This way, you only need to assign a handful of groups to the users instead of packing the user with all the individual, fine grained groups

credit @yorinasub17

[Codeazure]

Is that something in Service Catalog? I'm still creating environments the old Reference Architecture way using terraform-aws-security/modules/cross-account-iam-roles

[yorinasub17]

Yes this is something in service catalog. The old Reference Architecture equivalent would be to configure the iam_groups_for_cross_account_access input variable for iam-groups module in terragrunt using a similar strategy.

To be specific, you can add this yaml file to your infrastructure-live and pull it in the terragrunt.hcl using the following:

inputs = {
  iam_groups_for_cross_account_access = try(
    yamldecode(
      templatefile(
        "cross_account_groups.yml",
        {
          account_ids = {
            dev = "DEV_AWS_ACCOUNT_ID"
            stage = "STAGE_AWS_ACCOUNT_ID"
            # ... and so on ...
          }
        },
      ),
    ),
    {},
  )
}

[drafie]

This is another item that should be in the docs included with the RA deployment.

I wanted to give CI-MACHINE-USER permission to auto-deploy from all of our sandbox accounts. This answer helped me. I am leaving behind what I did in case it helps someone in the future.

Rather than use users.yml and add individual sandboxes under under ci-machine-user which would have quickly exceed the 10 groups per user rule, I created a single group to house all the sandboxes.

Based on this thread, I used cross_account_groups.yml in security/global/account-baseline and created a new group called all-sandbox-auto-deploy and then added the iam_role_arns for each of the sandbox accounts, using this code:

# CI-MACHINE-USER group used to auto deploy from all sandbox accounts
- group_name: "_account.all-sandbox-auto-deploy"
iam_role_arns:
#%{~ for name, id in account_ids }
#%{ if length(regexall("sandbox-", name)) > 0}
- "arn:aws:iam::${id}:role/allow-auto-deploy-from-other-accounts"
#%{ endif }
#%{ endfor ~}

Finally, I added that group to the ci-machine-user in users.yml as

ci-machine-user: 
		  create_access_keys: false 
		  create_login_profile: false 
		  groups: 
		    - _account.all-sandbox-auto-deploy