How to install baseline resources into restricted AWS accounts using SSO

## Background Whenever you are starting a new production-quality project on AWS, you will need to provision some baseline resources in order to facilitate deployment of application code/resources and [[CICD]] pipelines. Key attributes of such baseline resources are that they may have security implications and/or incur significant costs if not closely managed. Depending on the setup of your organization, the engineer performing this installation may be an application developer (e.g. in small orgs or cross-functional teams), or an ops engineer from a dedicated platform team who oversees the provisioning of these key resources (in bigger orgs). Since [[Distinct product environments should be isolated within their own AWS account]], this process will need to be performed in several accounts, so using [[AWS IAM Identity Center|AWS Single Sign-On]] (SSO) for this means that IAM users don't need to be created within each target account, but rather a single SSO user can be used. ## List of baseline resources The following resources are examples of what would be considered "baseline" resources: - [[AWS IAM|IAM]] resources: Group, Role, ManagedPolicy - [[AWS KMS|KMS]] keys - [[AWS ACM|ACM]] certificates ## Pre-requisites - An [[AWS Organizations]] Organization resource has been setup and individual accounts provisioned beneath it - An SSO user has been setup within [[AWS Organizations]] who will perform the baseline install - [AWS CLI v2](https://docs.aws.amazon.com/cli/latest/userguide/install-cliv2.html) has been installed on the installing user's workstation (v1 doesn't support [[AWS IAM Identity Center]]) - The set of baseline resources required has been defined within a [[AWS CloudFormation]] template ## Steps ### 1. Configure named per-account AWS CLI profiles for SSO user [Follow these instructions](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sso.html) to configure the CLI for SSO. Make sure to create named profiles in your `~/.aws/config` file for each target account where you wish to install resources. In the examples below, I use the `$AppName_$UserRole_$AccountCode` naming convention for the named CLI profile, where `$AccountCode` can be `dev`, `prod`, `tools`, etc (see also: [[Naming conventions for AWS CLI profiles]]). Also in these examples, I'm using `$UserRole`= "OrgAdmin" as this is for a user who has (near-) admin permissions in the accounts within the AWS Organization. ### 2. Login using named SSO profile Run the following to login to the `tools` account. (Update `ACCOUNT_NAME` if you wish to connect to a different target account). ```sh export APP_NAME="MyApp" # replace this with name of your product/project/app (used to prefix resource names) export ACCOUNT_NAME="tools" export AWS_PROFILE="${APP_NAME}_orgadmin_${ACCOUNT_NAME}" aws sso login --profile $AWS_PROFILE ``` Follow any prompts in CLI and browser to complete login. ### 3. Install CloudFormation stack(s) Within the same terminal, run the following CLI command to install your CloudFormation stack (replacing the path and/or stack name as appropriate): ```sh aws cloudformation deploy --template-file ./stacks/iam-cicd-maintainer.yml --stack-name "$APP_NAME-iam-cicd-maintainer" --capabilities CAPABILITY_NAMED_IAM --parameter-overrides AppName=$APP_NAME ```