Summary

AWS now supports and suggests as best practice the use of an External ID when creating IAM roles with cross-account access. The cost management AWS source flow has a user create such a role. We are requesting that the wizard flow for creating a cost management AWS source be updated to generate a per-customer randomized string that the customer can use to populate the external ID in AWS when creating the role. Sources would then pass along that external ID (in addition to the role ARN passed today) in a message to cost management upon source creation.

Business Impacts

This is required for a Hybrid Committed Spend customer. It's a new way AWS provides for customers to add more security so it is expected to be used more in the future. We would love to have this sooner rather than later. The sizing is not expected to be huge.

Impacts

• Sources UI
• Cost Management Team
• Other consumers of AWS sources

Requires

• Updates to the Sources UI
• Updates to the Sources API/Messages

UX Mocks: https://www.sketch.com/s/13021cc9-c842-4a6e-9e61-240f17a2b59a/a/qbK2aye

cc: kriedese, clevy@redhat.com