Cross Account Access Using IAM Roles
Hello Everyone
Welcome to CloudAffaire and this is Debjeet.
In the last blog post, we have discussed Identity Providers and Federation in AWS. We have also created our 1st IDP (Identity provider) using SAML (Azure AD).
https://cloudaffaire.com/identity-providers-and-federation/
In this blog post, we are going to discuss how to get cross account access using IAM roles.
Cross Account Access Using IAM Roles:
You can grant your IAM users permission to switch to roles within your AWS account or to roles defined in other AWS accounts that you own. The IAM user can have both console and programmatic access. The account on which you are providing access is known as trusting account and the account to which you are granting access is known as trusted account,
Prerequisite:
- Two AWS account with proper access.
In this demo, we will use below two AWS accounts
Trusting Account: 636476423541
Trusted Account: 634426279254
Step 1: Login to AWS console of trusting account (Where you will provide the access – On Account 636476423541), and navigate to ‘IAM’.
Step 2: Navigate to ‘Roles’ and click ‘Create role’.
Select ‘Another AWS account’ as type of trusted entity and provide the trusted account id (Trusted Account: 634426279254) and click ‘Next: Permissions’.
Select a policy and click ‘Next: Tags’.
Note: We are providing full admin access to the trusted account in trusting account.
Provide a description and click ‘Next: Review’.
Provide the role name and description and click ‘Create role’.
Our role has been created successfully, copy the Role ARN
Console Access:
Step 3: Login to AWS console using trusted account credential and IAM user (on Trusted Account 634426279254). Expand the IAM user name and click ‘Switch Role’.
Provide the trusting account ID and Role name created in step 2. Click ‘Switch Role’.
You are now in the console of trusting account.
Step 4: Switch back to trusted account and navigate to IAM.
Programmatic Access:
Next, we need to create a policy in the trusted account to grant assume role access to the role that we have created in the trusting account. And attach the policy to the role by which cross account programmatic access will be achieved. Below is the short description if it’s confusing
Trusting Account: 636476423541
Role: admin@634426279254
Trusted Account: 634426279254
Role: cloudwatc-custom-mon-role
Make sure one EC2 instance running with ‘cloudwatc-custom-mon-role’ in trusting account and we will assume ‘admin@634426279254’ role using AWS CLI to have programmatic access in the trusted account.
Step 5: Click ‘Create Policy’ located under ‘Policies’
Step 6: Select JSON and paste below policy statement. Click ‘Review Policy’.
|
1 2 3 4 5 6 7 8 9 10 |
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": " }] } |
Note: Replace the role ARN with your role ARN that has been copied at the end of step 2.
Step 7: Provide the policy name and description and click ‘Create policy’.
Step 8: Navigate to your EC2 instance role
Step 9: Click ‘Attach policies’.
Step 10: Select the policy created in step 7. Click ‘Attach Policy’.
Step 11: Login to your EC2 instance and test if you are able to assume the cross-account role.
Observe: Initially, we assumed programmatic access using ‘cloudwatc-custom-mon-role’ role to the trusted account and then assumed the ‘admin@634426279254’ role in trusting account.
We are using three shell scripts to assume the role which is provided below.
Assume_local.sh:
|
1 2 3 4 5 6 7 |
#!/bin/bash curl http://169.254.169.254/latest/meta-data/iam/security-credentials/cloudwatc-custom-mon-role > cred.json export AWS_ACCESS_KEY_ID=$(cat cred.json| jq .AccessKeyId | xargs) export AWS_SECRET_ACCESS_KEY=$(cat cred.json| jq .SecretAccessKey| xargs) export AWS_SESSION_TOKEN=$(cat cred.json| jq .Token| xargs) export AWS_EXPIRATION=$(cat cred.json| jq .Credentials.Expiration| xargs) rm -f cred.json |
Note: Replace ‘cloudwatc-custom-mon-role’ with your role
Assume_global.sh
|
1 2 3 4 5 6 7 |
#!/bin/bash aws sts assume-role --output json --role-arn arn:aws:iam::636476423541:role/admin@634426279254 --role-session-name assume-transitive > cred.json export AWS_ACCESS_KEY_ID=$(cat cred.json| jq .Credentials.AccessKeyId | xargs) export AWS_SECRET_ACCESS_KEY=$(cat cred.json| jq .Credentials.SecretAccessKey| xargs) export AWS_SESSION_TOKEN=$(cat cred.json| jq .Credentials.SessionToken| xargs) export AWS_EXPIRATION=$(cat cred.json| jq .Credentials.Expiration| xargs) rm -f cred.json |
Note: Replace role admin@634426279254 with your role and install jq package.
Clear.sh
|
1 2 3 4 5 |
#!/bin/bash unset AWS_ACCESS_KEY_ID unset AWS_SECRET_ACCESS_KEY unset AWS_SESSION_TOKEN unset AWS_EXPIRATION |
Hope you have enjoyed this article. In the next blog post, we will discuss IAM policy elements.
To get more details on IAM, please refer below AWS documentation.
https://docs.aws.amazon.com/iam/index.html
Great post! Thanks, was really helpful.
Very helpful m, Great post