Cross Account Role Guidance
This page provides guidance for the Cross Account Deploy Role used by Cloudwick CMP (Customer Management Platform) to deploy and manage the application in your AWS account. The role is defined in the CloudFormation template CrossAccount-Deploy-Role.yaml.
Deploying the cross-account role
Deploy the cross-account role in your customer AWS account using the Cloudwick CloudFormation template CrossAccount-Deploy-Role.yaml. This creates the IAM role that the Cloudwick CMP account uses to perform deployments and updates in your account.
Prerequisites
- Access: Ability to deploy CloudFormation stacks in your AWS account.
- Trusted Account ID: The Cloudwick CMP AWS Account ID from which deployments are triggered.
- External ID: A unique alphanumeric value set by you (the customer) during cross-account role deployment. This value helps provide an extra layer of security when the trusted account assumes the role.
Key parameters
When launching the stack, you will configure at least:
| Parameter | Description |
|---|---|
| pProjectShortName | Short identifier for your project, used in the IAM role name and for resource tagging. |
| pProjectName | Full project name, also used for tagging and identification in deployed resources. |
| pEnvironment | The environment (e.g., dev, prod, test) the deployment belongs to, used in resource naming and tagging. |
Additional parameters control optional capabilities (WAF, CloudTrail, DR, AI services, HCLS, Trace, etc.). Use the template defaults or adjust as agreed for your deployment.
Deployment steps
- In the AWS account where Amorphic will be deployed, open CloudFormation in the target region.
- Create a new stack (e.g. Create stack → With new resources).
- Upload or specify the CrossAccount-Deploy-Role.yaml template.
- Fill in the required parameters, especially pTrustedAccountId and pExternalId.
- Proceed through the stack options and create the stack.
- After the stack completes, note the role name (e.g.
{ProjectShortName}-{Region}-{Environment}-AmorphicDeployRole) and role ARN. Cloudwick CMP will need this role ARN to assume and perform deployments.
The role’s trust policy allows:
- CloudFormation in your account to assume the role (for stack operations).
- The Cloudwick CMP trusted account to assume the role only when the correct external ID is supplied, reducing the risk of confused deputy.
Do not delete the cross-account role
Do not delete the Cross Account Deploy Role (or the CloudFormation stack that creates it) after it has been deployed and Amorphic is in use.
Deleting this role has serious consequences for the product and your environment.
Why deletion is prohibited
- Deployment and further updates will fail — Cloudwick CMP automation uses this role to deploy application updates, hotfixes, and configuration changes. Without it, deployments and bug fixes from the Cloudwick CMP side will fail and you will not receive product updates or fixes through the normal deployment pipeline.
- Recreating the role is not a simple fix — Recreating a role with the same name does not preserve the same permission & AccessKeys. All references to the role (in Amorphic’s systems, pipelines, and your account) would need to be updated, and re-establishing trust and deployment may require coordination and downtime.
If you need to stop Cloudwick CMP from using your account, use the trust-policy restrictions described in the next section instead of deleting the role. If the role must be removed for compliance or account closure, coordinate with Cloudwick support to plan the change and its impact.
Restricting the Cloudwick (CMP) account from having access
If you need to temporarily or permanently prevent the Cloudwick CMP trusted account from assuming the deploy role (for example, to pause deployments or during a security review), update the role’s trust policy instead of deleting the role.
Option 1: Change the external ID (recommended for blocking access)
The simplest and safest way to block the Cloudwick CMP account from assuming the role is to change the external ID by updating the CloudFormation stack that manages the deploy role.
To do this:
- In the AWS account where the role is deployed, open CloudFormation in the target region.
- Select the stack that created the cross-account deploy role (typically named for your project/deployment).
- Choose Update.
- Update the
pExternalIdparameter to a new random value.- The external ID must be different from the one provided to Cloudwick CMP.
- Complete the stack update.
Once the external ID has been changed, the Cloudwick CMP account will be unable to assume the role because it no longer knows the correct external ID, and deployments will fail until the original value is restored or re-shared.
Tip: This method is preferred over removing trust policy statements, as it is reversible and preserves your original CloudFormation resource, minimizing risk of configuration drift.
Do not delete the stack or role; use this blocking method for safer, reversible protection.
Option 2: Restrict by Time Condition (recommended for temporary blocking)
You can restrict Cloudwick (CMP) account access to the deploy role by adding a time-based condition to the role's trust policy. This method limits how long the trusted Cloudwick CMP account can assume the role, after which all attempts will be denied—even if the correct external ID is supplied.
For example, to allow access only until February 10, 2026 at 13:00 UTC, update the trust relationship policy statement:
{
"Effect": "Allow",
"Principal": { "AWS": "<Cloudwick CMP Trusted Account-Id>" },
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": { "sts:ExternalId": "<your-external-id>" },
"DateLessThan": { "aws:CurrentTime": "2026-02-10T13:00:00Z" }
}
}
- The
DateLessThancondition ensures access is granted only before the specified date and time. After that, even with a valid external ID, assume-role requests are denied.
Tip: Using
DateLessThanforaws:CurrentTimeprovides a clear and reversible way to block or pause deployments after a set date without deleting the role or stack.
To re-enable or extend the Cloudwick CMP account's access, simply update the trust policy:
- Adjust the timestamp in
aws:CurrentTimeto a new date in the future, or - Remove the
DateLessThancondition entirely.
You can update the trust policy manually in the IAM console or by updating/redeploying the CloudFormation stack with the correct conditions and parameters.