AWSTemplateFormatVersion: '2010-09-09'Description: API Gateway Client cross-acc

1. AWSTemplateFormatVersion: '2010-09-09'
2. Description: API Gateway Client cross-account AssumeRole example
3.  
4. # Parameters
5. ############
6. Parameters:
7. ApiGatewayServiceAccountId:
8. Description: The AWS Account ID of the API Gateway service to be accessed
9. Type: String
10. Default: "056319353359"
11. ApiGatewayServiceIAMRole:
12. Description: The Role name in the other AWS account that should be assumed in order to invoke the API Gateway
13. Type: String
14. Default: "InvokeApiGatewayRole"
15.  
16. # Resources
17. ###########
18. Resources:
19. # IAM Roles and Policies.
20. AssumeRoleCrossAccountRole:
21. Type: AWS::IAM::Role
22. Properties:
23. AssumeRolePolicyDocument:
24. Version: 2012-10-17
25. Statement:
26. - Effect: Allow
27. Action:
28. - sts:AssumeRole
29. Principal:
30. Service:
31. - ec2.amazonaws.com
32. AssumeRoleCrossAccountInlinePolicy:
33. Type: AWS::IAM::Policy
34. Properties:
35. PolicyName: AssumeRoleCrossAccountInlinePolicy
36. Roles:
37. - !Ref AssumeRoleCrossAccountRole
38. PolicyDocument:
39. Version: 2012-10-17
40. Statement:
41. - Effect: Allow
42. Action:
43. - sts:AssumeRole
44. Resource: !Sub "arn:aws:iam::${ApiGatewayServiceAccountId}:role/${ApiGatewayServiceIAMRole}"
45. AssumeRoleCrossAccountPolicy:
46. Type: AWS::IAM::ManagedPolicy
47. Properties:
48. ManagedPolicyName: AssumeRoleCrossAccountPolicy
49. PolicyDocument:
50. Version: 2012-10-17
51. Statement:
52. - Effect: Allow
53. Action:
54. - sts:AssumeRole
55. Resource: !Sub "arn:aws:iam::${ApiGatewayServiceAccountId}:role/${ApiGatewayServiceIAMRole}"