Customize your GorillaStack Cross-Account Role

Chris Armstrong | Thu, 13 Dec 2018

If you've recently signed up or added any new accounts recently, you may have noticed some changes to the account setup process. These changes have been pushed out over the past month or so, but today we released the most useful of these: you can now customize the cross-account role that is installed in your AWS Account.

This change lets you select only the actions and triggers you want to use with your account, which is great when you want to limit IAM Role to only contains the permissions that are required for your environment.

Customisation e1544683215165 1024x972

Under the hood, this new option uses a new CloudFormation template generation system, where a template is specifically created with all the code needed to connect GorillaStack to your environment with the right permissions.

You were able to do this before by hand if you understand CloudFormation, but our new method works through the GorillaStack interface and calculates the required permissions automatically for you. You can still customize the generated template further if you wish (e.g. attach extra conditions to restrict the resources that are affected), but this is not detected in the user interface and may affect rule execution if not done correctly.

Customising your cross-account role

New AWS Accounts: When you set up your new account, you will be presented with a new screen. Instead of clicking Get Started, select the Customize link to start the customization process.

Select Customise new 1024x651

Existing AWS Accounts: You can update the cross-role in the GorillaStack web application

  1. Start by clicking on your team name in the top-left corner and going to Platforms: Select Platforms 300x237
  2. Then on the Platforms screen, click the menu next to the account and select Update Account Setup: Select Update Account Setup 300x223 _
  3. Finally, select the Customize link instead of Get Started to start the customisation process Select Customize 1024x721

Rules Form Changes

As a consequence of customizable account setup, we have also made some changes to the rules setup too.

The first change you'll notice when you are setting up your rules is that the actions and triggers view are now categorized by AWS product.

triggers screen 1024x801

actions screen 1024x889

Now when you select actions in a new rule, the Add Rule form takes into account the availability of that action on the selected accounts in the Context view.

If none of the accounts selected support the trigger or action, it will be hidden from the view. You can select Show unavailable triggers/actions to see them again.

show unavailable triggers 300x60

On the other hand, if some of the selected accounts don't support the feature, you will see a warning before you save the rule. You will still be able to save it, but the rule may fail execution for the specified accounts.

rule warning 1024x532

New Account Status

Another change you will notice once you have upgrade to the new account setup system is the new Account Status page and popover. It will now show you a summary the actions and triggers you have selected, along with the count of permissions that are in the template. You can expand each section for a full list.

Account Status 1 1024x840

Tags ChangelogBack To All Posts