CloudQuery Account: This is the AWS account where CloudQuery Platform is deployed. This account hosts the IAM role that CloudQuery uses to assume roles in other accounts.
Your Account: This is the AWS account that you want to sync resources from. This account will have a role that allows the CloudQuery account's role to assume and read resources.
Prerequisites
Before starting, configure the following environment variables - the account ID (this will be provided by the CloudQuery team) and the sub-domain of your installation.
An external ID should be added as recommended by AWS best practices to provide an additional verification layer when assuming roles in a third-party account. This can be any alphanumeric string between 2 and 1224 characters, but in this example we use a UUID.
export EXTERNAL_ID=$(uuidgen)
IAM Role And Permissions
Create the trust relationship for the cross-account role:
Note: the role_arn should be in the following form and correspond to the cross-account-readonly-role created in your AWS account:
arn:aws:iam::<your_account>:role/cross-account-readonly-role
With your AWS integration created, you can now proceed to use it in a new sync. This will give you the opportunity to specify when your AWS sync should be run, and to which destination databases.