|
| 1 | +# [Cross-account configuration with AWS AppConfig | AWS Cloud Operations Blog](https://aws.amazon.com/blogs/mt/cross-account-configuration-with-aws-appconfig/) |
| 2 | + - Published: 2022-02-17 |
| 3 | + - Author: [[Person/Luis Gomez]] |
| 4 | + - Blog: [[AWS/AppConfig/Blog]] |
| 5 | + - Tags: #AWS #AppConfig #Cross-Account #Configuration #Multi-Account #Systems Manager |
| 6 | + - |
| 7 | + - ## Overview |
| 8 | + - Guide for managing application configurations across multiple AWS accounts using AWS AppConfig. Uses a centralized configuration account (typically in a Deployments OU) to manage configurations for applications running in separate accounts. |
| 9 | + - |
| 10 | + - ## Key Concepts |
| 11 | + - * Centralized configuration management: Use a dedicated configuration account to host AWS AppConfig resources |
| 12 | + - * Cross-account access: Applications in other accounts assume IAM roles to read configurations from the config account |
| 13 | + - * Multi-environment support: Deploy configurations to different environments (development, testing, production) from a single place |
| 14 | + - |
| 15 | + - ## Architecture |
| 16 | + - * Configuration Account (Config Account) |
| 17 | + - Hosts AWS AppConfig application, configuration profiles, and environments |
| 18 | + - Stores container images in Amazon ECR |
| 19 | + - Provides IAM roles for cross-account access |
| 20 | + - * Application Account (App Account) |
| 21 | + - Runs the application (e.g., in AWS App Runner) |
| 22 | + - Assumes IAM role in config account to read AppConfig |
| 23 | + - Pulls container images from config account ECR |
| 24 | + - |
| 25 | + - ## Setup Steps |
| 26 | + - ### Account Setup |
| 27 | + - * Create accounts using AWS Organizations or independent accounts |
| 28 | + - * Configure AWS CLI access with SSO (e.g., "config" profile for config account, "dev" profile for app account) |
| 29 | + - |
| 30 | + - ### Application Build |
| 31 | + - * Containerized Python Flask app (example in blog post) |
| 32 | + - * Push image to ECR in config account |
| 33 | + - * Share ECR repository with app account via repository policy |
| 34 | + - |
| 35 | + - ### AWS AppConfig Setup |
| 36 | + - * Create application (e.g., "ListServices") |
| 37 | + - * Create environments (development, testing, production) |
| 38 | + - * Create configuration profile with JSON content |
| 39 | + - * Add JSON Schema validator |
| 40 | + - * Deploy initial configuration to development environment |
| 41 | + - |
| 42 | + - ### IAM Roles & Permissions |
| 43 | + - * Config Account: |
| 44 | + - IAM policy: `AppConfigListServicesAccessPolicy` |
| 45 | + - Permissions for AppConfig API calls (GetLatestConfiguration, StartConfigurationSession, etc.) |
| 46 | + - IAM role: `AppConfigListServicesAccessRole` |
| 47 | + - Trusts app account |
| 48 | + - Attached to AppConfig access policy |
| 49 | + - * App Account: |
| 50 | + - IAM policy: `AssumeAppConfigListServicesAccessPolicy` |
| 51 | + - Allows assuming the role in config account |
| 52 | + - IAM role: `AppRunnerListServicesCrossConfigRole` |
| 53 | + - For App Runner service |
| 54 | + - Trusts `tasks.apprunner.amazonaws.com` |
| 55 | + - Allows assuming config account role |
| 56 | + - |
| 57 | + - ### Application Deployment |
| 58 | + - * Deploy application using AWS App Runner (or other container service) |
| 59 | + - * Set environment variables: |
| 60 | + - `APPCONFIGAPPNAME`: Application name |
| 61 | + - `APPCONFIGCONF`: Configuration profile identifier |
| 62 | + - `APPCONFIGENV`: Environment identifier |
| 63 | + - `APPCONFIGREADROLE`: ARN of IAM role in config account to assume |
| 64 | + - |
| 65 | + - ## Configuration Management Pattern |
| 66 | + - * Application code uses `boto3` to: |
| 67 | + - Assume role in config account via STS |
| 68 | + - Start AppConfig configuration session |
| 69 | + - Poll for latest configuration using token |
| 70 | + - Cache configuration data |
| 71 | + - * Configuration changes are deployed from config account console |
| 72 | + - * Applications automatically pick up changes without redeployment |
| 73 | + - |
| 74 | + - ## Use Cases |
| 75 | + - * Centralized configuration management across multiple accounts |
| 76 | + - * Environment-specific configurations (dev/test/prod) |
| 77 | + - * Dynamic configuration updates without application redeployment |
| 78 | + - * Configuration isolation from application workloads |
| 79 | + - |
| 80 | + - ## Related Resources |
| 81 | + - * [[AWS/Systems Manager]] |
| 82 | + - * [[AWS/AppConfig]] |
| 83 | + - * [[AWS/Organizations]] |
| 84 | + - * [[AWS/IAM/Cross-Account Access]] |
| 85 | + - * [[AWS/App Runner]] |
| 86 | + - * [[AWS/ECR]] |
| 87 | + |
0 commit comments