CrossAccountResourceConsumer¶
Utility class for consuming AWS resources from different accounts using cross-account access patterns.
This class provides methods to import and reference resources (such as SSM parameters) that exist in different AWS accounts. It handles the complexity of cross-account resource ARN construction and CloudFormation parameter creation for secure resource sharing across account boundaries.
The class is designed to work with the MARE foundation infrastructure where resources are often shared between accounts.
Source code in mare_aws_common_lib/helpers/cross_account_resource_consumer.py
5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 | |
Attributes¶
_app_helper = app_helper
instance-attribute
¶
Functions¶
__init__(app_helper)
¶
Initialize the CrossAccountResourceConsumer with application context.
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
app_helper
|
ApplicationHelper
|
Helper instance containing application configuration, region information, and parameter naming utilities required for cross-account resource operations. |
required |
Source code in mare_aws_common_lib/helpers/cross_account_resource_consumer.py
16 17 18 19 20 21 22 23 24 25 | |
import_ssm_parameter(scope, parameter_key, producer_account_id, secret_env_suffix, logical_id_prefix)
¶
Import an SSM parameter from another AWS account using CloudFormation parameters.
Creates a CloudFormation parameter that references an SSM parameter in a different AWS account. This enables secure cross-account parameter sharing without hardcoding values or requiring complex IAM cross-account roles for runtime access.
The method constructs the parameter ARN using the producer account ID and creates a CloudFormation parameter that can be resolved during stack deployment.
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
scope
|
Construct
|
CDK construct scope where the CloudFormation parameter will be created |
required |
parameter_key
|
str
|
Base parameter key that will be formatted using organizational naming conventions (domain/project/env/key) |
required |
producer_account_id
|
str
|
AWS account ID where the SSM parameter exists. This should typically be the foundation account or another trusted account |
required |
secret_env_suffix
|
str
|
Environment suffix for the parameter (currently unused in implementation but reserved for future environment-specific parameter handling) |
required |
logical_id_prefix
|
str
|
Prefix for the CloudFormation logical ID to ensure uniqueness and provide context (e.g., "database", "encryption-key") |
required |
Returns:
| Name | Type | Description |
|---|---|---|
CfnParameter |
CfnParameter
|
CloudFormation parameter that resolves to the SSM parameter value
from the producer account during stack deployment. The parameter type is
AWS::SSM::Parameter::Value |
Raises:
| Type | Description |
|---|---|
ValueError
|
If the application helper is not properly configured with required region or parameter naming information |
AttributeError
|
If the scope is not a valid CDK construct |
Note
- The producer account must have appropriate IAM policies allowing cross-account SSM parameter access
- The parameter ARN is constructed using the format: arn:aws:ssm:{region}:{producer_account}:parameter/{formatted_parameter_name}
- The CloudFormation parameter type AWS::SSM::Parameter::Value
automatically resolves the parameter value during deployment - The secret_env_suffix parameter is currently unused but reserved for future environment-specific parameter resolution
Source code in mare_aws_common_lib/helpers/cross_account_resource_consumer.py
27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 | |