Cross Account Access Using IAM Roles

Cross Account Access Using IAM Roles

Cross Account Access Using IAM Roles

Hello Everyone

Welcome to CloudAffaire and this is Debjeet.

In the last blog post, we have discussed Identity Providers and Federation in AWS. We have also created our 1st IDP (Identity provider) using SAML (Azure AD).

https://cloudaffaire.com/identity-providers-and-federation/

In this blog post, we are going to discuss how to get cross account access using IAM roles.

Cross Account Access Using IAM Roles:

You can grant your IAM users permission to switch to roles within your AWS account or to roles defined in other AWS accounts that you own. The IAM user can have both console and programmatic access. The account on which you are providing access is known as trusting account and the account to which you are granting access is known as trusted account,

Prerequisite:

  • Two AWS account with proper access.

In this demo, we will use below two AWS accounts

Trusting Account: 636476423541

Trusted Account: 634426279254

Step 1: Login to AWS console of trusting account (Where you will provide the access – On Account 636476423541), and navigate to ‘IAM’.

Cross Account Access Using IAM Roles

Step 2: Navigate to ‘Roles’ and click ‘Create role’.

Cross Account Access Using IAM Roles

Select ‘Another AWS account’ as type of trusted entity and provide the trusted account id (Trusted Account: 634426279254) and click ‘Next: Permissions’.

Cross Account Access Using IAM Roles

Select a policy and click ‘Next: Tags’.

Cross Account Access Using IAM Roles

Note: We are providing full admin access to the trusted account in trusting account.

Provide a description and click ‘Next: Review’.

Cross Account Access Using IAM Roles

Provide the role name and description and click ‘Create role’.

Cross Account Access Using IAM Roles

Our role has been created successfully, copy the Role ARN

Cross Account Access Using IAM Roles

Console Access:

Step 3: Login to AWS console using trusted account credential and IAM user (on Trusted Account 634426279254). Expand the IAM user name and click ‘Switch Role’.

Cross Account Access Using IAM Roles

Provide the trusting account ID and Role name created in step 2. Click ‘Switch Role’.

Cross Account Access Using IAM Roles

You are now in the console of trusting account.

Cross Account Access Using IAM Roles

Step 4: Switch back to trusted account and navigate to IAM.

Cross Account Access Using IAM Roles

Programmatic Access:

Next, we need to create a policy in the trusted account to grant assume role access to the role that we have created in the trusting account. And attach the policy to the role by which cross account programmatic access will be achieved. Below is the short description if it’s confusing

Trusting Account: 636476423541

Role: admin@634426279254

Trusted Account: 634426279254

Role: cloudwatc-custom-mon-role

Make sure one EC2 instance running with ‘cloudwatc-custom-mon-role’ in trusting account and we will assume ‘admin@634426279254’ role using AWS CLI to have programmatic access in the trusted account.

Cross Account Access Using IAM Roles

Step 5: Click ‘Create Policy’ located under ‘Policies’

Cross Account Access Using IAM Roles

Step 6: Select JSON and paste below policy statement. Click ‘Review Policy’.

Cross Account Access Using IAM Roles

Note: Replace the role ARN with your role ARN that has been copied at the end of step 2.

Step 7: Provide the policy name and description and click ‘Create policy’.

Cross Account Access Using IAM Roles

Step 8: Navigate to your EC2 instance role

Cross Account Access Using IAM Roles

Step 9: Click ‘Attach policies’.

Cross Account Access Using IAM Roles

Step 10: Select the policy created in step 7. Click ‘Attach Policy’.

Cross Account Access Using IAM Roles

Step 11: Login to your EC2 instance and test if you are able to assume the cross-account role.

Cross Account Access Using IAM Roles

Observe: Initially, we assumed programmatic access using ‘cloudwatc-custom-mon-role’ role to the trusted account and then assumed the ‘admin@634426279254’ role in trusting account.

We are using three shell scripts to assume the role which is provided below.

Assume_local.sh:

Note: Replace ‘cloudwatc-custom-mon-role’ with your role

Assume_global.sh

Note: Replace role admin@634426279254 with your role and install jq package.

Clear.sh

Hope you have enjoyed this article. In the next blog post, we will discuss IAM policy elements.

To get more details on IAM, please refer below AWS documentation.

https://docs.aws.amazon.com/iam/index.html

Leave a Reply

Close Menu