Assume Payer Account Role for ListAccounts then Use The Original Account To Assume Member Account RO roles

Hi CQ Team,

I want to deploy CloudQuery into a member account A. The payer account is B.
Here’s my source spec in cloudquery.yml:

spec:
    org:
      admin_account:
        role_arn: role_in_B
      member_role_name: cloudquery-ro-role-in-member-account

CQ was able to successfully list member accounts in B, but then it uses role_in_B to assume the cloudquery-ro-role-in-member-account, which failed becuase cloudquery-ro-role-in-member-account has trust policy with account A only.

Is it possible to go back to account A and use a role there to assume cloudquery-ro-role-in-member-account after using the admin account to grab a list of member accounts?

Maybe something like

spec:
    org:
      admin_account:
        role_arn: role_in_B
      member_role_name: cloudquery-ro-role-in-member-account
      cq_worker_role_arn: role_in_A

The answer is:

spec:
    org:
      admin_account:
        role_arn: role_in_B
      member_role_name: cloudquery-ro-role-in-member-account
      member_trusted_principal: 
        role_arn: role_in_A:

Hi @YifeiY!

First of all - welcome to the CloudQuery forums! We’re so glad you’re here.

It looks like you beat us to it, and you figured out the answer. Just following up with you to see if you need any additional assistance.

Thanks!
Joe