Delegate access across AWS accounts using IAM roles
Scenario
The developer asi-dev and the EC2 instance asi-dev-server require access to the S3 bucket asi-production-bucket residing in the asi-production account for development purposes.
Pre-requisites
- Both development and production accounts must be already in place
- S3 bucket in the production account must be already created
- IAM group developers and IAM user dev must be already created
- EC2 instance dev-server must be created and in running state
Note: Please feel free to use your own naming convention for your resources
Solution
Step 1: Create IAM role and IAM policy in the production account
Step 2: Create an IAM policy for dev-server IAM role and developers group
Step 3: Attach IAM policy to the developers IAM group and dev-server IAM role
Step 4: Test access to S3 bucket using AWS CLI on local using access and secret keys and on EC2 instance using IAM role
Step 1: Create IAM role in the production account
- Login into the management console for the production account
- Before creating the role, prepare the managed policy that defines the permissions for the role requirements.
- Go to Services section and then IAM
- In the navigation pane, choose Policies and then choose Create policy.
- Choose the JSON tab and copy the text from the following JSON policy document. Paste this text into the JSON text box, replacing the resource ARN (arn:aws:s3:::asi-production-bucket) with the one for your Amazon S3 bucket.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": "arn:aws:s3:::asi-production-bucket"
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::asi-production-bucket/*"
}
]
}
- Add tags of your choice
- On the Review page, enter readonly-asi-production-bucket for the policy name. You may add a Description if required. Review the policy Summary to see the permissions granted by your policy, and then choose Create policy.
- The new policy appears in the list of managed policies.
- In the navigation pane, choose Roles and then choose Create role.
- Choose the An AWS account role type.
- For Account ID, type the asi-development account ID.
To obtain the asi-development AWS account ID click on your username on the top right, you’ll see Account ID with a copy button. - Enter the role name readonly-asi-production-bucket and description if required
- Choose Next to set the permissions associated with the role.
- Select the check box next to the policy that you created previously
- After reviewing the role, choose Create role.
- The readonly-asi-production-bucket-role appears in the list of roles.
- Once the role is created go to that role and check the Trust relationships tab, you’ll see something as like below
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<asi-development-account-no>:root"
},
"Action": "sts:AssumeRole",
"Condition": {}
}
]
}
Step 2: Create IAM policy in the development account
- Login into the management console for the development account
- Choose Services and then IAM
- In the navigation pane, choose Policies and then choose Create policy.
- Choose the JSON tab and copy the text from the following JSON policy document. Paste this text into the JSON text box, replacing the resource ARN with the one for your IAM role created in the asi-production account.
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::<asi-production-account-no>:role/readonly-asi-production-bucket"
}
}
- Add tags of your choice
- On the Review page, enter allow-assume-role-readonly-asi-production-bucket for the policy name. You may add a Description if required. Review the policy Summary to see the permissions granted by your policy, and then choose Create policy to save your work.
- The new policy appears in the list of managed policies.
Step 3: Attach IAM policy to the developers IAM group and dev-server IAM role
Create an IAM role for asi-dev-server
- Login into the management console for the development account
- In the navigation pane, choose Roles and then choose Create role.
- Choose the AWS Service role type.
- Choose Next to set the permissions associated with the role.
- Select the check box next to the policy that you created previously
- Enter the role name allow-assume-role-readonly-asi-production-bucket and description if required
- After reviewing the role, choose Create role.
- The allow-assume-role-readonly-asi-production-bucket appears in the list of roles.
Attach dev-server IAM role to asi-dev-server EC2 instance
- Go to Services and then search for EC2
- You can see the already created EC2 instance asi-dev-server
- Choose Actions, Security and then Modify IAM role
- Choose the role allow-assume-role-readonly-asi-production-bucket created in the previous step
- Choose Save
Add allow-assume-role-readonly-asi-production-bucket policy to IAM group
- Navigate to Services and then choose IAM
- Choose User groups from the navigation pane
- Choose asi-developers, navigate to the Permissions tab
- Choose Add permissions, Attach policies from the dropdown
- Select the checkbox next to allow-assume-role-readonly-asi-production-bucket policy
- Choose Add permissions
Step 3: Test access to S3 bucket using AWS CLI
Test access using asi-dev-server
- SSH into the EC2 instance asi-dev-server
Refer to the following link for more details — https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AccessingInstancesLinux.html - Configure asi-production role in the AWS CLI
Refer to the following link for more details — https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-role.html - Create config file if it is not already present
vi ~/.aws/config
- Update the config file as below
[profile readonlys3crossaccount]
role_arn=arn:aws:iam::<asi-production-account-no>:role/readonly-asi-production-bucket
credential_source = Ec2InstanceMetadata
- Test the access using the below command
aws s3 ls s3://asi-production-bucket/ --profile readonlys3crossaccount
- You should be able to list all the files present in the S3 bucket
Test access from a local computer using asi-dev user credentials
- Make sure the AWS CLI is configured with asi-dev credentials on your local machine or from wherever you are trying to access the S3 bucket
- Run the below command to assume the production role and generate temporary credentials
Refer to the following link for more details — https://aws.amazon.com/premiumsupport/knowledge-center/iam-assume-role-cli/
aws sts assume-role --role-arn "arn:aws:iam::<asi-production-account-no>:role/readonly-asi-production-bucket-role" --role-session-name "readonlys3crossaccount"
- Set up the temporary credentials generated from the previous step
export AWS_ACCESS_KEY_ID=RoleAccessKeyID
export AWS_SECRET_ACCESS_KEY=RoleSecretKey
export AWS_SESSION_TOKEN=RoleSessionToken
- Test the access using the below command
aws s3 ls s3://asi-production-bucket/
- You should be able to list all the files present in the S3 bucket
Summary
In this blog, I walked you through the steps to Delegate access across AWS accounts using IAM roles
If you have any questions, please feel free to connect with me on LinkedIn
If you find this article helpful please feel free to clap!
Cheers!!