[cddotdotslash]

For what it’s worth, literally every vendor that operates in its customers’ AWS accounts does this. Create a cross account role, trust the vendor’s account, and give it read only permissions (although don’t use the built in “read only” role since that includes access to things like S3 objects.

[baq]

At my current job I can trigger a pipeline to deploy a complex set of cloud formation stacks but my account doesn’t have access to logs of those deployments. Devops!