Follow the official user guide for setting up Account Factory.
It provides a example trust policy of AWSControlTowerBlueprintAccess in the Hub account (blueprint account):
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::YourManagementAccountId:role/service-role/AWSControlTowerAdmin",
"arn:aws:iam::YourManagementAccountId:role/YourControlTowerUserRole"
]
},
"Action": "sts:AssumeRole"
}
]
}
and it says:
replace the term
YourManagementAccountIdwith the actual acccount ID of your AWS Control Tower management account, and replace the termYourControlTowerUserRolewith the identifier of the IAM role for your management account.
I am not sure what the YourControlTowerUserRole is, it is mentioned in no where else when setting up the AWS Control Tower.
I did experimentally created a test role contains permission for administering Control Tower in the management account. I can use this role for Control Tower console by AssumeRole, but the effective ARN is like
arn:aws:sts::{AccountID}:assumed-role/{RoleName}/{FunctionName}
NOT
arn:aws:iam::YourManagementAccountId:role/YourControlTowerUserRole
So it cannot assume to AWSControlTowerBlueprintAccess for accessing the blueprints.
I am confused now, can someone explain why the trust policy requires this YourControlTowerUserRole and how this is used in practise.
Thanks KLIN