Cross-Account IAM Roles for Centralized CI/CD Deployment

Enterprise AWS architectures utilize a multi-account strategy, separating workloads into dedicated accounts like 'Dev', 'Shared Services', and 'Production'. If your CI/CD pipeline (such as Jenkins or GitLab) lives in the Shared Services account, it needs secure access to deploy infrastructure into the Production account.

Hardcoding access keys for each account into your CI/CD tool is a massive security risk. The AWS well-architected solution is Cross-Account IAM Roles. The CI/CD system assumes an IAM role in its own account, which is granted permission via a Trust Policy to 'sts:AssumeRole' into a target role within the Production account.

This generates temporary, short-lived credentials for the deployment process. The target role in the Production account must explicitly trust the Shared Services account ID. Below is the Terraform code for the Production account, creating the deployer role and establishing the cross-account trust relationship.

resource "aws_iam_role" "cross_account_deployer" {
  name = "ProdDeployerRole"

  # The Trust Policy allowing the CI/CD account to assume this role
  assume_role_policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Action = "sts:AssumeRole"
        Effect = "Allow"
        Principal = {
          AWS = "arn:aws:iam::111122223333:root" # Shared Services Account ID
        }
      }
    ]
  })
}