Granting Access to Role
Once the
Prod-Xacc-Access
is set up in the Prod AWS account (112233445566), any user or role in the IT AWS account (123456789012) will be able to assume the role with appropriate configuration, as explained in the steps given in this section.Create the
IT-AviController-Role
role in the IT AWS account (123456789012) to assume the role of Prod-Xacc-Access
in the Prod AWS Account (112233445566). This is the role to which the Controller instance will be attached.Create the policy
Cross-Account-AssumeRole-policy
, which will be attached to the IT-AviController-Role
role.- Navigate toIAM > Policies, and clickCreate Policy.

- Configure the policy with sts:AssumeRole action and provide the resource reference forProd-Xacc-Accessrole’s ARN, which in this example isarn:aws:iam::112233445566:role/Prod-Xacc-Access.{ "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "arn:aws:iam::112233445566:role/Prod-Xacc-Access" } }
- Navigate to theJSONtab, provide the syntax mentioned above, and clickReview Policyto save the policy.
For attaching multiple accounts, use the following policy syntax:{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "arn:aws:iam::<ACCOUNT-ID1>:role/<Role-Name-1>" }, { "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "arn:aws:iam::<ACCOUNT-ID1>:role/<Role-Name-2>" }, { "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "arn:aws:iam::<ACCOUNT-ID2>:role/<Role-Name>" } ] } - Navigate to , clickCreate Role.

- SelectAWS Service, selectAmazon EC2as the role type, and clickNext:Permissions.

- UnderAttach-Policy, select theCross-Account-AssumeRole-Policycreated earlier and also theAviController-EC2-Policy, which is required for the Controller’s internal operations.
- Provide the Role name asIT-AviController-Role, the description (optional), and clickCreate role. Verify if both policies are now attached.

