Customize your GorillaStack Cross-Account Role

Chris ArmstrongChangelogLeave a Comment

If you’ve recently signed up or added any new accounts recently, you may have noticed some changes to the account setup process. These changes have been pushed out over the past month or so, but today we released the most useful of these: you can now customize the cross-account role that is installed in your AWS Account.

This change lets you select only the actions and triggers you want to use with your account, which is great when you want to limit IAM Role to only contains the permissions that are required for your environment.

Under the hood, this new option uses a new CloudFormation template generation system, where a template is specifically created with all the code needed to connect GorillaStack to your environment with the right permissions.

You were able to do this before by hand if you understand CloudFormation, but our new method works through the GorillaStack interface and calculates the required permissions automatically for you. You can still customize the generated template further if you wish (e.g. attach extra conditions to restrict the resources that are affected), but this is not detected in the user interface and may affect rule execution if not done correctly.

Customising your cross-account role

New AWS Accounts: When you set up your new account, you will be presented with a new screen. Instead of clicking Get Started, select the Customize link to start the customization process.

Existing AWS Accounts: You can update the cross-role in the GorillaStack web application

  1. Start by clicking on your team name in the top-left corner and going to Platforms:
  2. Then on the Platforms screen, click the menu next to the account and select Update Account Setup:

  3. Finally, select the Customize link instead of Get Started to start the customisation process

Rules Form Changes

As a consequence of customizable account setup, we have also made some changes to the rules setup too.

The first change you’ll notice when you are setting up your rules is that the actions and triggers view are now categorized by AWS product.

Now when you select actions in a new rule, the Add Rule form takes into account the availability of that action on the selected accounts in the Context view.

If none of the accounts selected support the trigger or action, it will be hidden from the view. You can select Show unavailable triggers/actions to see them again.

On the other hand, if some of the selected accounts don’t support the feature, you will see a warning before you save the rule. You will still be able to save it, but the rule may fail execution for the specified accounts.

New Account Status

Another change you will notice once you have upgrade to the new account setup system is the new Account Status page and popover. It will now show you a summary the actions and triggers you have selected, along with the count of permissions that are in the template. You can expand each section for a full list.

Leave a Reply

Your email address will not be published. Required fields are marked *