Configuring the IAM User
An IAM user is an entity that represents a person or application that interacts with AWS. It has specific credentials and permissions attached to it, like roles, to control access.
Configuring Assume Role Policy
To include AWS sub-account in the Route53 sync, AWS Role ARN is a mandatory parameter. The credentials and the role ARN requires AssumeRole permissions.
Complete the following steps to configure a role in AWS:
Complete the following steps to create an IAM case:
Create a policy with the following settings:Â
Choose service: Choose STS.
Actions: Choose AssumeRole (Write Access).
Resources: Configure the following:Â
Add ARN:
Choose any account.
Specify the Role Name.Â
Add and Review Policy.Â
Specify a Name.Â
Create Policy
Â
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "sts:AssumeRole"
            ],
            "Resource": [
                "arn:aws:iam::*:role/demorole"
            ]
        }
    ]
}
Â
Create a user and attach the policy to the user.Â
Create a Role (AssumeRole).
Select AWS Account: This account
Permissions
Attach the policy as specified in the section Permissions required in AWS R53.
Attach AWSOrganizationsReadOnlyAccess to discover accounts.
Tags: This is optional. Provide some meaningful tags.
Role Name: Specify a name for the role.
Click Create Role.
Configuration in AWS sub-accounts
The steps in this section are required to be configured on the Trusting/Sub-account.
Fore creating a role with proper permissions, complete the following steps for IAM Create Role (AssumeRole):
In Select type of trusted entity, configure the following:
Select AWS Account: Select Another AWS account.
Provide the Account ID of the Trusted/Management account.
Permissions: Configure the following permissions:
Attach Policy: Attach the policy as specified in the section Permissions required in AWS R53.
Tags: This is optional. Provide some meaningful tags.
Role Name: Specify the IAM role that you just created.
Click Create Role.