Fortinet black logo

Online Help

Setup permissions for Stack Sets Operations

Copy Link
Copy Doc ID cf00dcb1-0886-11ed-bb32-fa163e15d75b:666951

Setup permissions for Stack Sets Operations

In order to add multiple AWS account, the administrator account needs to have permission to create, update, and delete any stack sets in all target accounts. To setup this trust relationship, IAM roles need to be created in both the administrator and the target accounts. Amazon has simplified this process by utilizing AWS Cloud Formation template. Both steps needed to be completed to establish trust relationships between the administrator and target accounts. Please complete step 1 and 2 before proceeding with AWS Cloud Formation.

Step 1 - Create IAM role for administrator account

  1. From AWS Services menu, search and click on CloudFormation.
  2. Click on Stacks in left navigation menu.
  3. Click on Create stack, and select With new resources(standard).
  4. In Specify template section, select Amazon S3 URL, and fill in the following URL: https://s3.amazonaws.com/cloudformation-stackset-sample-templates-us-east-1/AWSCloudFormationStackSetAdministrationRole.yml, and click Next.
  5. In Stack name field, give any Stack name, then click Next.
  6. In Step-3: Configure Stack options, scroll all the way down, and click Next.
  7. In Step-4: Review, scroll all the way down, click on check to acknowledge AWS CloudFormation to create IAM resources, then click Create stack to complete the process.

Please note that the IAM role name for the administrator account must be AWSCloudFormationStackSetAdministrationRole.

Step 2 - Create IAM role for each target account

  1. From AWS Services menu, search and click on CloudFormation.
  2. Click on Stacks in left navigation menu.
  3. Click on Create stack, and select With new resources(standard).
  4. In Specify template section, select Amazon S3 URL, and fill in the following URL: https://s3.amazonaws.com/cloudformation-stackset-sample-templates-us-east-1/AWSCloudFormationStackSetExecutionRole.yml, and click Next.
  5. In Stack name field, give any Stack name.
  6. In Parameters field, enter the administrator account ID which the target account wants to grant trust relationship to. Then click Next.
  7. In Step-3: Configure Stack options, scroll all the way down, and click Next.
  8. In Step-4: Review, scroll all the way down, click on check to acknowledge AWS CloudFormation to create IAM resources, then click Create stack to complete the process.

Reference: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-prereqs.html

After IAM roles created for both administrator and targeted accounts, return to FortiCNP to install targeted accounts using CloudFormation. You can also create a CSV file with targeted account numbers separated by comma as delimiter. For example: 1234567,2345678,3456789, etc.

Setup permissions for Stack Sets Operations

In order to add multiple AWS account, the administrator account needs to have permission to create, update, and delete any stack sets in all target accounts. To setup this trust relationship, IAM roles need to be created in both the administrator and the target accounts. Amazon has simplified this process by utilizing AWS Cloud Formation template. Both steps needed to be completed to establish trust relationships between the administrator and target accounts. Please complete step 1 and 2 before proceeding with AWS Cloud Formation.

Step 1 - Create IAM role for administrator account

  1. From AWS Services menu, search and click on CloudFormation.
  2. Click on Stacks in left navigation menu.
  3. Click on Create stack, and select With new resources(standard).
  4. In Specify template section, select Amazon S3 URL, and fill in the following URL: https://s3.amazonaws.com/cloudformation-stackset-sample-templates-us-east-1/AWSCloudFormationStackSetAdministrationRole.yml, and click Next.
  5. In Stack name field, give any Stack name, then click Next.
  6. In Step-3: Configure Stack options, scroll all the way down, and click Next.
  7. In Step-4: Review, scroll all the way down, click on check to acknowledge AWS CloudFormation to create IAM resources, then click Create stack to complete the process.

Please note that the IAM role name for the administrator account must be AWSCloudFormationStackSetAdministrationRole.

Step 2 - Create IAM role for each target account

  1. From AWS Services menu, search and click on CloudFormation.
  2. Click on Stacks in left navigation menu.
  3. Click on Create stack, and select With new resources(standard).
  4. In Specify template section, select Amazon S3 URL, and fill in the following URL: https://s3.amazonaws.com/cloudformation-stackset-sample-templates-us-east-1/AWSCloudFormationStackSetExecutionRole.yml, and click Next.
  5. In Stack name field, give any Stack name.
  6. In Parameters field, enter the administrator account ID which the target account wants to grant trust relationship to. Then click Next.
  7. In Step-3: Configure Stack options, scroll all the way down, and click Next.
  8. In Step-4: Review, scroll all the way down, click on check to acknowledge AWS CloudFormation to create IAM resources, then click Create stack to complete the process.

Reference: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-prereqs.html

After IAM roles created for both administrator and targeted accounts, return to FortiCNP to install targeted accounts using CloudFormation. You can also create a CSV file with targeted account numbers separated by comma as delimiter. For example: 1234567,2345678,3456789, etc.