Skip to main content

Service Provider Access

Codified setup of trusted access for 3rd party service or solution providers to your AWS account(s).

Quick Start

Need a refresh on how to use and configure patterns?

Pattern Basics

  • What is a worX pattern?
  • What are the different types of pattern?
  • What standards are used in patterns?
  • What if I already use Terraform?
  • How can I use patterns alongside my existing Terraform?

Configuring Patterns

  • How are patterns configured?
  • What are Pattern Features and Unit Features?
  • How can I understand the impact of enabling a feature?
  • What else can I configure in a pattern?

Accessing worX

  • How do I register an account?
  • How do I access the patterns?
  • How do I integrate with Terraform?
  • Where can I find examples?

Pattern Summary

This pattern represents one side of a pair of patterns that provide a means for AWS service providers to connect securely to AWS customer accounts without having to create IAM users or share API credentials that may be allocated elevated permissions.

This pattern can be used by the AWS customer to create and manage access for their Service Providers with some additional settings for restricting how these permissions can be accessed by the Service Provider.

Customer Flow

  1. The customer uses the Service Provider Access pattern to create a cross-account trust from the Service Providers's account to their own, assigning permissions via existing policies in their account or using a custom IAM Policy if required.
  2. An optional 2nd factor can be added (external-id) as a means to limit when this access is available
  3. When provisioned, the pattern will generate ARNs that represent the roles the Service Provider can assume only from their designated Service Provider account.
  4. These ARNs can then be safely shared via email as they contain no credentials and can only be made use of when combined with a 2nd factor provided by the customer


Pattern Features


Feature Information
DescriptionProvides the ability to attach custom IAM policy to the delegated IAM role.
Default StateDisabled

Feature Options

  • content

    Setting is?Optional
    Default valueSee below for default


Feature Information
DescriptionProvides the ability to attach existing IAM policies to the delegated IAM role.
Default StateDisabled

Feature Options

  • arns

    Setting is?Optional
    Default value['arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess']

Pattern Options

  • external_aws_account_id

    Setting is?Required
    Example value123456789123
  • external_id

    Setting is?Optional
    Default valueNone
  • require_mfa

    Setting is?Optional
    Default valueFalse
  • max_session_duration

    Setting is?Optional
    Default value3600

Reference Example

Below is a complete reference example that you can use to get started. You can find out how to access the entire pattern library and configure your Terraform workspace over on our How do I access worX? guide in our Core Concepts section of the documentation.

Create the following files with contents in a working directory of your choosing.

Terraform Code
# Provider config
terraform {

required_version = "~> 1.5"

required_providers {
aws = {
version = "~> 5.0"
source = "hashicorp/aws"


# Pattern usage
module "worx_service_provider_access" {

source = ""
version = "1.1.0"

configuration_file = pathexpand("example.yml")


Pattern Configuration

org: "HT"
lifecycle: "DEV"
Project: SP

enabled: true
content: |
"Version": "2012-10-17",
"Statement": [
"Effect": "Allow",
"Action": "s3:*",
"Resource": "*"
enabled: true
- arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess

external_aws_account_id: 123456789012
external_id: skW@0l
service_provider_requires_mfa: false

Deploying Pattern

# Initialise and download any providers and modules
terraform init

# Compile the show the target state for resources to be managed
terraform plan -out=worx.plan

# Deploy and manage the resources
terraform apply worx.plan