It's best practice to follow the principle of least privilege when deploying configuration to organization accounts. To achieve this, you should create an account administrator role with restricted permissions and use it to deploy configuration. Now, the next question is how to create this restricted role in the first place?
You can have a separate bootstrap configuration that creates the restricted role and other resources needed to deploy the rest of the configuration with scoped down permissions.
Bootstrap configuration is defined using config sets but attached to organizational units and accounts with the bootstrapConfigSets property.
Example: Attaching bootstrap config sets
Here's how you could define and attach bootstrap config sets:
You use accountBootstrapRoleName to specify which role to use to deploy the bootstrap configuration.
Setting Bootstrap Role
Like with the regular config sets, when the bootstrap config sets are deployed to member accounts, Takomo assumes a role from each account and uses it for deployment. By default, Takomo attempts to assume a role named OrganizationAccountAccessRole, which is the default role created for each account when the account is created and added to the organization.
You can also provide a custom bootstrap role. The custom bootstrap role name can be specified in many places within the organization configuration. When bootstrap config sets are deployed to a member account, the bootstrap role is looked in the following order:
- accountBootstrapRoleName key under the current account
- accountBootstrapRoleName key under the current organizational unit
- accountBootstrapRoleName key at the top-level of the organization configuration
- accountCreation.defaults.roleName key in the account creation configuration
If none of the above is defined, the default role name OrganizationAccountAccessRole is used.
It's important to notice that the role name must not be a full IAM role ARN.
Example: Setting the bootstrap role
Here are all the places where you can set the bootstrap role.
Command Line Usage
The bootstrap config sets are deployed using bootstrap accounts command.
The bootstrap configs are removed using teardown accounts command.
Both commands lets you review the deployment plan and decide whether you want to proceed with the deployment.