Using Cloud Custodian with assumed STS roles, and multi-region support

[James Wilcox]

Hi there

I am trying to set up a centralised, single copy of CC in our environment. We have multiple AWS accounts and want to run a single copy of CC in one AWS account on an EC2 instance. This EC2 instance has an IAM role applied which allows STS assume role to switch to N other AWS accounts that we own. We want it to run CC and report back/take actions on the resources in each account.

I am unable to find where I can supply the STS role information when running CC from the CLI.

I would also like to specify that CC runs in all regions - this is the command line I'm using for a single region and want to run edit it to run across every region. Do I need to run the same line multiple times, supplying a different region each time?

custodian run -c config.yml -s report1 --region us-west-2 --cache us-west-2

Thanks in advance

James.

[Mandeep Bal]

Hi James,

Great question! You can pass an assume option via `--assume="arn:aws:iam::00000000000:role/CloudCustodian"`. The command below is one that we're using for running custodian via cron. One thing to watch for is the cache file when your running against multiple accounts. The cache file can handle multiple regions but you'll need a separate cache for each account. Please let me know if you have anymore questions. We're usually hanging out in our gitter.im channel( https://gitter.im/capitalone/cloud-custodian).

/usr/local/custodian/bin/custodian run \

  --cache-period=15 \
  --cache /home/custodian/.accountname.cache \

  -v \

  -m \

  -l /cloud-custodian/sts-prod/us-east-1 \

  -s s3://mybucketnamehere/accounts/aws-account-name-here/us-east-1/policies \

  --assume="arn:aws:iam::00000000000:role/Custodian" \

  -c /etc/custodian/policies/hourly.yml &>> /var/log/custodian/hourly.log

[James Wilcox]

Thanks Mandeep, I have managed to successfully assume a role in another account using the --assume argument. I have posted a separate couple of questions in Gitter too.

James.