How to avoid duplicate IAM roles when deploying stackset to multiple regions



I'm deploying a cloudformation template to automate action in response to a Cloudwatch event rule. The template creates:

  1. IAM Role - Lambda Execution
  2. Lambda Function - Remediation
  3. Events Rule - Trigger Lambda
  4. Lambda Permission - Events can Invoke Lambda


When deploying this solution to multiple regions via stackset it results in duplicate IAM roles being created. This seems unnecessary.


How, if possible, might I go about creating the IAM role once per account and having each region's lambda use that single role within the same stackset?

asked 3 years ago229 views
1 Answer
Accepted Answer

My approach has been: tie the role to the "thing" that consumes/needs it, centralizing might seem good but can be dangerous because of a larger impact.

If you're using StackSets, why not set one region as your "main" one and create a condition on the IAM role that only creates it within that region. This way you can still use a single StackSet but only have one IAM role.

Otherwise, you could setup roles within another stack, turn on termination protection and export it's ARN. Something like `FunctionalityX-Lambda-RoleArn".

Personally I try avoid custom resources where they aren't required, especially if you see potentially a lot of updates/changes.

answered 3 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions