By using AWS re:Post, you agree to the AWS re:Post Terms of Use

Configure AWS Cross-account using SSM Command

0

I have a script that is running in account A that updates the application in Beanstalk. I want to run the same script from account A to update the Beanstalk application in account B using SSM or any other tool that could accomplish this task.

I need to know what SSM command to invoke for the cross-account in the script below:

#!/bin/bash

for i in ${eb_env_vars[@]}
do
    if [[ $i == *"parameter_store_path"* ]]; then
        parameter_store_path=$(echo $i | grep -Po "([^\=]*$)")
    fi
done

Your help would be greatly appreciated!

1 Answer
0

To use SSM to update a Beanstalk application in another account, you will need to use the aws ssm send-command command. The basic format of the command is:

Copy code aws ssm send-command
--document-name "AWS-RunShellScript"
--parameters commands="command-to-run"
--target "Key=instanceids,Values=instance-id"
--region "region"
--profile "profile-name" You'll need to replace command-to-run with the command you want to run on the Beanstalk instance. The --target option can be used to specify the ID of the Beanstalk instance.

To run this command across multiple accounts, you can use AWS Organizations to create a service control policy (SCP) to allow access to SSM across accounts.

To do this, you'll need to create an IAM role in account B with permissions to access Beanstalk, and then assume that role in account A using the sts:AssumeRole action.

You can then use the --role-arn option in the aws ssm send-command command to specify the IAM role in account B.

Here's an example of how you might use the aws ssm send-command command to update a Beanstalk application in another account:

Copy code aws ssm send-command
--document-name "AWS-RunShellScript"
--parameters commands="eb deploy --environment my-environment"
--target "Key=instanceids,Values=instance-id"
--region "us-east-1"
--profile "profile-name"
--role-arn "arn:aws:iam::account-B-id:role/beanstalk-role" Note that you'll need to replace instance-id with the ID of the Beanstalk instance, my-environment with the name of the Beanstalk environment, us-east-1 with the region where the Beanstalk environment is located, profile-name with the name of the profile in account A, and arn:aws:iam::account-B-id:role/beanstalk-role with the ARN of the IAM role in account B.

Make sure that you have the necessary permissions to assume the role in account B and that the role has the necessary permissions to access the Beanstalk application.

It's always a good idea to test these commands in a non-production environment before running them in production.

profile picture
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions