Skip to content

ESH Deployed Role Setup for your AWS Accounts

In order for the ESH executor to be able to deploy to AWS accounts, it needs access. This can be provided in a number of ways. The default is to deploy what we call the ESH Deployed Role. ESH provides a CloudFormation stack that can be used to create this role in your AWS organization accounts.

Running this stack in your master account will create a role that ESH can access with administrative privilege in all of the accounts in your AWS organization. The role has a trust policy that only trusts only your own ESH Organizations executor role, hence it is very secure.

If you wish to trim back permissions for your ESH executor, use Custom Role instead of ESH Deployed Role. See Targets for more details.

Steps To Create the Role

Open CloudFormation Console

Open Cloudformation Console and click Create Stack. Copy and paste the template S3 location into your stack:

https://cto-public.s3.eu-west-1.amazonaws.com/esh/esh-executor-account-access-role.json

See screenshot below:

Open Cloudformation Console and click Create Stack

Fill in Stack Parameters

You can name the stack however you choose, we suggest something like "ESH Executor Role".

Obtain Your ESH executor role ARN from the ESH Targets console. Click "Create Target", select Target Type "AWS", then Credentials "ESH Deployed Role" and your role ARN will be displayed. Copy and paste it into the stack template parameters.

Fill in stack parameters

Run the Template

Click Next and then Submit and the stack will be deployed. When it completes, you will be able to use ESH to deploy to any of your AWS Organizations accounts.

Note, only users who are granted access to a target account will be able to deploy to that account.

Wait for stack to complete