{"id":20405732,"url":"https://github.com/cloudquery/iam-for-aws-orgs","last_synced_at":"2026-02-24T06:32:32.292Z","repository":{"id":103036492,"uuid":"512862041","full_name":"cloudquery/iam-for-aws-orgs","owner":"cloudquery","description":null,"archived":false,"fork":false,"pushed_at":"2025-04-09T18:40:24.000Z","size":41,"stargazers_count":1,"open_issues_count":1,"forks_count":1,"subscribers_count":11,"default_branch":"main","last_synced_at":"2025-12-09T23:53:25.192Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mpl-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/cloudquery.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2022-07-11T18:08:54.000Z","updated_at":"2025-04-09T18:40:28.000Z","dependencies_parsed_at":null,"dependency_job_id":"8895d35f-04f2-4fe9-9d4e-e6c2f8eaf257","html_url":"https://github.com/cloudquery/iam-for-aws-orgs","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/cloudquery/iam-for-aws-orgs","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cloudquery%2Fiam-for-aws-orgs","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cloudquery%2Fiam-for-aws-orgs/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cloudquery%2Fiam-for-aws-orgs/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cloudquery%2Fiam-for-aws-orgs/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/cloudquery","download_url":"https://codeload.github.com/cloudquery/iam-for-aws-orgs/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cloudquery%2Fiam-for-aws-orgs/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29774444,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-24T04:54:30.205Z","status":"ssl_error","status_checked_at":"2026-02-24T04:53:58.628Z","response_time":75,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-15T05:12:47.960Z","updated_at":"2026-02-24T06:32:32.257Z","avatar_url":"https://github.com/cloudquery.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"\n\n\u003cp align=\"center\"\u003e\n\u003ca href=\"https://cloudquery.io\"\u003e\n\u003ch1 align=\"center\"\u003e\u003cimg alt=\"cloudquery logo\" width=75% src=\"https://github.com/cloudquery/cloudquery/raw/main/cli/docs/images/logo.png\"/\u003e\u003c/h1\u003e\n\u003c/a\u003e\n\u003c/p\u003e\n\nCloudQuery IAM Permissions  \n==================================\n\n## Overview:\n\n\nThis solution is designed to help users setup the appropriate AWS IAM roles and permissions in order to use CloudQuery to fetch all supported resources in their accounts within an AWS Organization. This solution will deploy a child role into each member account and a role in the administrator account for CloudQuery to use.\n\n\u003cp align=\"center\"\u003e\n  \u003cimg width=\"460\"  src=\"https://user-images.githubusercontent.com/30294676/178352333-7146015f-f8df-4131-953a-d42627458824.png\"\u003e\n\u003c/p\u003e\n\nThis solution leverages CloudFormation StackSets and [`service-managed`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-concepts.html#stacksets-concepts-stackset-permission-models) permissions in order to automatically deploy IAM roles into each account in the specified Account List or Organization Unit without additional deployment IAM roles. \n\n### Organization Management Account or Delegated Administrator Account\n\nFor deployment purposes, the template may change depending on where the StackSet is deployed from.  For AWS Organizations, Stacksets can be managed from either the Organization Management (Admin) Account or a [Delegated Administrator Account](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-orgs-delegated-admin.html).  A delegated administrator account is a member account that can create and manage stacksets with service-managed permissions for the organization.  \n\nIf using a delegated administrator account, delegated administration must be set up for CloudFormation StackSets.  Follow AWS's guide [here](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-orgs-delegated-admin.html).  For deploying from a delegated administrator account, the `DeployFromDelegatedAdmin` parameter must be set to `true` when deploying the solution.\n\n## Usage\n\n\n### Deploying this solution:\n\n1. Clone this repo\n2. Run the following command but make sure to replace `\u003cROOT_ORG_ID\u003e` with your OU of the root (if you want to deploy to your entire organization). Or a comma separated list of OUs: \n\n``` bash\naws cloudformation create-stack --stack-name CloudQueryOrg-Deploy --template-body file://./template.yml  --capabilities CAPABILITY_NAMED_IAM --parameters ParameterKey=OrganizationUnitList,ParameterValue=\u003cROOT_ORG_ID\u003e\n```\n3. To get the ARN of role in the Admin and the role deployed in each member account:\n``` bash\naws cloudformation describe-stacks --stack-name CloudQueryOrg-Deploy --query \"Stacks[].Outputs\"\n```\n\n4. Using the output you got in step (3) update the following values in your `cloudquery.yml` configuration file:\n\n```\nkind: source\nspec:\n  name: aws\n  path: cloudquery/aws\n  registry: cloudquery\n  version: \"v26.6.0\" # find latest version here: https://hub.cloudquery.io/plugins/source/cloudquery/aws/latest\n  tables: ['aws_s3_buckets']\n  destinations: [\"postgresql\"]\n  spec:\n    aws_debug: false\n    org:\n      admin_account:\n        role_arn: \u003cAdminRoleArn\u003e\n      member_role_name: \u003cMemberRoleName\u003e\n    regions: \n      - \"*\"\n```\n\n### Other Parameters:\n\n`AdditionalTrustedArns`: If your deployment pattern is such that the credentials used to run CloudQuery are not in the same management account as where the Stack is deployed, specifying either the AccountID or ARN of the principal that will be running CloudQuery will add in a trust relationship to enable that principal to assume the management role. This is necessary because by default each of the member account roles only has a trust relationship with the single management role that the stack deployed. This feature will enable CloudQuery to assume the role in the management account and then assume the role in each member account.\n\nHere is an example of a Cloudquery configuration file that requires the `AdditionalTrustedArns` parameter:\n\n```\n  spec:\n    org:\n      admin_account:\n        role_arn: arn:aws:iam::\u003cMNGMNT_ACCOUNT_ID\u003e:role/cloudquery-mgmt-ro\n      member_role_name: cq-ro\n      member_trusted_principal:\n        role_arn: arn:aws:iam::\u003cMNGMNT_ACCOUNT_ID\u003e:role/cloudquery-mgmt-ro\n```\n\n\n\n### Cleaning up:\n\nRun this to delete all resources that were created:\n\n``` bash\naws cloudformation delete-stack --stack-name CloudQueryOrg-Deploy\n```\n\n\n## Links\n\n\n* Homepage: https://cloudquery.io\n* Documentation: https://docs.cloudquery.io\n* Discord: https://cloudquery.io/discord\n\n\n## Contribution\n\nFeel free to open Pull-Request for improvements, changes and bug fixes.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcloudquery%2Fiam-for-aws-orgs","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcloudquery%2Fiam-for-aws-orgs","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcloudquery%2Fiam-for-aws-orgs/lists"}