CloudQuery multiaccount role usage for data retrieval issue

Hi CQ team,

I have a question related to running CQ in AWS Multiaccount. I run CQ from one of the member accounts. Can that account use the same role for data retrieval as the role used to assume the role in Org management? It defaults to the org members read-only role (which is reasonable), but can this be overwritten?

Hi Michal,

Can you please clarify the current role setup you have and which role you want to be used for retrieval?

Account A (where CloudQuery lives) has a role with permissions to read Account A setup, as well as a trust policy allowing it to assume a role in the organization management account. However, this role in the organization setup is used only to assume the role into the organization management account.

Then, the management account assumes a role in individual accounts to query the environment.

So the question is, can CloudQuery use its default role to query the environment in Account A, or will it always only use the organization role to assume the cq-read role deployed to the accounts?

Am I correct in understanding that you want to support two levels of role switching in this format:

Account A -> management account -> individual account(s)

but the trust policy is only set up on the first level going from Account A to management account? Per the AWS docs, I don’t think this can work without trust policies on all the roles. Have you had a look at the IAM docs to see if this is supported? Our tooling will follow the IAM policies you have defined.

Actually, I’m okay with that model, and it works fine. I have a specific use case where I’d like to use a default model to query the environment where CloudQuery lives, using Account A role purely (no trust needed).

I think in that case you can use this set up in your config:

kind: source
spec:
  name: aws-org
  tables: [ "*" ]
  destinations: ["postgresql"]
  spec:
    org:
---
kind: source
spec:
  name: aws-account
  tables: [ "*" ]
  destinations: ["postgresql"]
  spec:

The second block will use the default credentials and only sync that account.