IAMRoleForReachabilityAnalyzerCrossAccountResourceAccess Manage IAM role deployments Troubleshoot self-managed role deployments

Cross-account access roles for Reachability Analyzer

When you enable trusted access for Reachability Analyzer, we use AWS CloudFormation StackSets to deploy the IAMRoleForReachabilityAnalyzerCrossAccountResourceAccess IAM role to all member accounts in the organization. This role allows the management account and delegated administrator accounts to specify resources from member accounts in path analyses.

Reachability Analyzer creates the custom IAM role automatically when you turn on trusted access using the Network Manager console. We strongly recommend that you use the console to turn on trusted access, as alternate approaches require an advanced level of expertise and are more prone to error.

Deregistering a delegated administrator removes it from the account list so that it can no longer assume this custom IAM role. If you turn off trusted access, we delete the StackSets.

IAMRoleForReachabilityAnalyzerCrossAccountResourceAccess

This IAM policy role enables cross-account read-only access to resources through role switching. For more information, see AmazonEC2ReadOnlyAccess and AWSDirectConnectReadOnlyAccess in the IAM console.


AWSTemplateFormatVersion: '2010-09-09'
Description: Enables Console Access role
Resources:
  ConsoleRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: IAMRoleForReachabilityAnalyzerCrossAccountResourceAccess
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
        - Effect: Allow
          Principal:
            AWS:
            - arn:aws:iam::management-account-id:root
            - arn:aws:iam::delegated-admin-1-account-id:root
            - arn:aws:iam::delegated-admin-2-account-id:root
          Action:
          - sts:AssumeRole
      Path: "/"
      ManagedPolicyArns:
      - arn:aws:iam::aws:policy/AWSDirectConnectReadOnlyAccess
      - arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess
      - arn:aws:iam::aws:policy/AmazonVPCReachabilityAnalyzerPathComponentReadPolicy

Manage IAM role deployments

If you make changes to your role policies, or if you've updated a self-managed role, you can deploy the updated policy to the accounts in your organization.

With a self-managed deployment, you are responsible for attaching the required policies and managing the trust relationship required for the delegated administrator and management accounts to use cross-account analyses.

Troubleshoot self-managed role deployments

If the StackSets deployment to an account fails and the message is "IAM role exists", delete the IAM role from the member account and then retry the role deployment in the management account.

To retry the IAM role deployments

Sign in to the management account.
Open the Network Manager console at https://console.aws.amazon.com/networkmanager/home.
From the navigation pane, choose Reachability Analyzer, Settings.
Under IAM role deployments status, choose Retry role deployment. The deployments can take several minutes to complete, depending on the number of member accounts in your organization.

For a message other than "IAM role exists", open a case with AWS Support. For more information, see Creating a support case in the AWS Support User Guide.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

AWS managed policies

CloudTrail logs