This article shows how to grant read-only permissions for Puppeteers AWS account (921835069063) to your AWS account. This is necessary to, for example, model your infrastructure with Terraform.
Adding a role to AWS
The first step is to add a role with ReadOnlyAccess to your AWS account. The role can then be assumed by the Puppeteers. To do this login to AWS console:
![](https://www.puppeteers.net/wp-content/uploads/2021/05/aws-add-role-00-1024x556.png)
Search for “iam” and then select the IAM service from the list:
![](https://www.puppeteers.net/wp-content/uploads/2021/05/aws-add-role-01-1024x556.png)
Click on “Access management” → “Roles”:
![](https://www.puppeteers.net/wp-content/uploads/2021/05/aws-add-role-02-1024x556.png)
Click “Create role”:
![](https://www.puppeteers.net/wp-content/uploads/2021/05/aws-add-role-03-1024x556.png)
Select “Another AWS Account” as the trusted entity:
![](https://www.puppeteers.net/wp-content/uploads/2021/05/aws-add-role-04-1024x556.png)
Set “Account ID” to 921835069063. Add an “External ID” (~password) and check “Require MFA”. Click “Next: Permissions”:
![](https://www.puppeteers.net/wp-content/uploads/2021/05/aws-add-role-06-1024x556.png)
Check the “ReadOnlyAccess” or some other suitable policy from your IAM policy list. Click “Next: Tags”:
![](https://www.puppeteers.net/wp-content/uploads/2021/05/aws-add-role-08-1024x556.png)
Optional: add tags to the role. Click “Next: Review”:
![](https://www.puppeteers.net/wp-content/uploads/2021/05/aws-add-role-09-1024x556.png)
Give the role a name. Here we've used “puppeteers”. Add description if you want. Click “Create role”:
![](https://www.puppeteers.net/wp-content/uploads/2021/05/aws-add-role-10-1024x556.png)
On the role list click on the role you created:
![](https://www.puppeteers.net/wp-content/uploads/2021/05/aws-add-role-11-1024x556.png)
Click on the “Trust relationships” tab:
![](https://www.puppeteers.net/wp-content/uploads/2021/05/aws-add-role-12-1024x556.png)
Mark down “Role ARN” and “sts:ExternalId”:
![](https://www.puppeteers.net/wp-content/uploads/2021/05/aws-add-role-13-1024x556.png)
The last and final step is to send std:ExternalID and RoleARN to Puppeteers using the contact form. Then Puppeteers' employees can assume the role you created for them, provided they have two-factor authentication turned on in their AWS account.