For configuring the Principal and External ID that are available in the CSP.
Configuring IAM Role
Create a Role (AssumeRole).
Select AWS Account: Another AWS account.
Select AWS Account - Enter Principal ID as shown in CSP.
Select the checkbox Require external ID under Options. This is a best practice when a third party will assume this role.
Enter the External ID as shown in CSP.
Permissions:
Attach the policy as specified in the section Permissions required in AWS R53.
Attach AWSOrganizationsReadOnlyAccess to discover accounts.
Attach policy created in the Step 1
Tags: This is optional. Provide some meaningful tags.
Role Name: Specify the role name as infoblox_discovery.
Click Create Role.
Configuration in AWS Sub-accounts
Create Role (AssumeRole)
In Select type of trusted entity, configure the following:
Select AWS Account: Select Another AWS account.
Enter the Principal ID as shown in CSP.
Select the checkbox Require external ID under Options. This is a best practice when a third party will assume this role.
Enter the External ID as shown in CSP
Permissions: Configure the following permissions:
Attach Policy: Attach the policy that has permissions required for R53 sync (R53ReadWrite access).
Tags: This is optional. Provide some meaningful tags.
Role Name: Specify the same name as provided in step 3.d.
Click Create Role.