This section describes the one-time task to set up the automation to create an IAM service role for EC2 that needs to be performed by your Cloud Administration team in order for you to use AWS Cloud9 in your team development AWS accounts.
Engage your Cloud Administration team for this one-time set up step: Since elevated privileges are needed for this step, you’ll need to engage your Cloud Administration team to address it. Once this step is addressed, you’ll be able to self-service create Cloud9 environments in your team development AWS accounts.
In your team development AWS accounts, you have access to only private subnets. Although AWS Cloud9 supports the use of private subnets, Cloud9 requires creation of a Cloud9-specific IAM service role for EC2 to support use of private subnets. Since the guardrails that apply to your team development AWS accounts don’t allow you as a builder to create IAM roles that start with
AWS*, you’ll need to ask your Cloud Administration team to get the following role in place before you can use Cloud9 in your private development subnets.
As a Cloud Administrator, you will use AWS CloudFormation to deploy a CloudFormation StackSet to your organization’s management AWS account. This StackSet will be based on a CloudFormation template.
Download the following CloudFormation template to your desktop: example-infra-team-dev-cloud9-service-role.yml
Create a StackSet to deploy the IAM service role for EC2 to all of the AWS accounts associated with your development OUs.
Management consoleassociated with the
Now create the StackSet:
Upload a template file.
Choose fileto select the downloaded template file from your desktop.
StackSet name. Replace
examplewith your organizational identifier.
||Provide the name of the permissions boundary that has been used as a guardrail for your team development AWS accounts. For example,
Service managed permissions.
Deployment targets, select
Deploy to organizational units (OUs).
If you didn’t make a copy of the development OU IDs, open a new browser tab and access
AWS Control Tower. Select
Organizational units, and select each of the following development OUs to obtain its OU ID:
Specify regions, select your home AWS region.
Monitor the operation to create the StackSet. Select
Stack instances tab to see the status of the stack being applied to the AWS accounts.
When this StackSet is created, the associated CloudFormation stack is applied to each of the AWS accounts currently associated with the specified OUs.
Additionally, each time a new AWS account is added to the OUs, the CloudFormation stack will be automatically applied to it. When AWS accounts are removed from the OUs, the stack will be automatically removed from the AWS accounts.
Once the CloudFormation stack has been applied to an AWS account, the builders with access to the AWS account will be able to self-service create Cloud9 environments according to the instructions in the next section.