Delegate access across AWS accounts using IAM roles

5 min readMar 11, 2022

Scenario

The developer asi-dev and the EC2 instance asi-dev-server require access to the S3 bucket asi-production-bucket residing in the asi-production account for development purposes.

asi-dev IAM user and asi-dev-server EC2 instance requires access to asi-production-bucket

Pre-requisites

Both development and production accounts must be already in place
S3 bucket in the production account must be already created
IAM group developers and IAM user dev must be already created
EC2 instance dev-server must be created and in running state

Note: Please feel free to use your own naming convention for your resources

Solution

Step 1: Create IAM role and IAM policy in the production account

Step 2: Create an IAM policy for dev-server IAM role and developers group

Step 3: Attach IAM policy to the developers IAM group and dev-server IAM role

Step 4: Test access to S3 bucket using AWS CLI on local using access and secret keys and on EC2 instance using IAM role

Step 1: Create IAM role in the production account

Login into the management console for the production account
Before creating the role, prepare the managed policy that defines the permissions for the role requirements.
Go to Services section and then IAM
In the navigation pane, choose Policies and then choose Create policy.
Choose the JSON tab and copy the text from the following JSON policy document. Paste this text into the JSON text box, replacing the resource ARN (arn:aws:s3:::asi-production-bucket) with the one for your Amazon S3 bucket.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "s3:ListAllMyBuckets",
            "Resource": "*"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:GetBucketLocation"
            ],
            "Resource": "arn:aws:s3:::asi-production-bucket"
        },
        {
            "Sid": "VisualEditor2",
            "Effect": "Allow",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::asi-production-bucket/*"
        }
    ]
}

Add tags of your choice
On the Review page, enter readonly-asi-production-bucket for the policy name. You may add a Description if required. Review the policy Summary to see the permissions granted by your policy, and then choose Create policy.
The new policy appears in the list of managed policies.
In the navigation pane, choose Roles and then choose Create role.
Choose the An AWS account role type.
For Account ID, type the asi-development account ID.
To obtain the asi-development AWS account ID click on your username on the top right, you’ll see Account ID with a copy button.
Enter the role name readonly-asi-production-bucket and description if required
Choose Next to set the permissions associated with the role.
Select the check box next to the policy that you created previously
After reviewing the role, choose Create role.
The readonly-asi-production-bucket-role appears in the list of roles.
Once the role is created go to that role and check the Trust relationships tab, you’ll see something as like below

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::<asi-development-account-no>:root"
            },
            "Action": "sts:AssumeRole",
            "Condition": {}
        }
    ]
}

Step 2: Create IAM policy in the development account

Login into the management console for the development account
Choose Services and then IAM
In the navigation pane, choose Policies and then choose Create policy.
Choose the JSON tab and copy the text from the following JSON policy document. Paste this text into the JSON text box, replacing the resource ARN with the one for your IAM role created in the asi-production account.

{
    "Version": "2012-10-17",
    "Statement": {
        "Effect": "Allow",
        "Action": "sts:AssumeRole",
        "Resource": "arn:aws:iam::<asi-production-account-no>:role/readonly-asi-production-bucket"
    }
}

Add tags of your choice
On the Review page, enter allow-assume-role-readonly-asi-production-bucket for the policy name. You may add a Description if required. Review the policy Summary to see the permissions granted by your policy, and then choose Create policy to save your work.
The new policy appears in the list of managed policies.

Step 3: Attach IAM policy to the developers IAM group and dev-server IAM role

Create an IAM role for asi-dev-server

Login into the management console for the development account
In the navigation pane, choose Roles and then choose Create role.
Choose the AWS Service role type.
Choose Next to set the permissions associated with the role.
Select the check box next to the policy that you created previously
Enter the role name allow-assume-role-readonly-asi-production-bucket and description if required
After reviewing the role, choose Create role.
The allow-assume-role-readonly-asi-production-bucket appears in the list of roles.

Attach dev-server IAM role to asi-dev-server EC2 instance

Go to Services and then search for EC2
You can see the already created EC2 instance asi-dev-server
Choose Actions, Security and then Modify IAM role
Choose the role allow-assume-role-readonly-asi-production-bucket created in the previous step
Choose Save

Add allow-assume-role-readonly-asi-production-bucket policy to IAM group

Navigate to Services and then choose IAM
Choose User groups from the navigation pane
Choose asi-developers, navigate to the Permissions tab
Choose Add permissions, Attach policies from the dropdown
Select the checkbox next to allow-assume-role-readonly-asi-production-bucket policy
Choose Add permissions

Step 3: Test access to S3 bucket using AWS CLI

Test access using asi-dev-server

SSH into the EC2 instance asi-dev-server
Refer to the following link for more details — https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AccessingInstancesLinux.html
Configure asi-production role in the AWS CLI
Refer to the following link for more details — https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-role.html
Create config file if it is not already present

vi ~/.aws/config

Update the config file as below

[profile readonlys3crossaccount]
role_arn=arn:aws:iam::<asi-production-account-no>:role/readonly-asi-production-bucket
credential_source = Ec2InstanceMetadata

Test the access using the below command

aws s3 ls s3://asi-production-bucket/ --profile readonlys3crossaccount

You should be able to list all the files present in the S3 bucket

Test access from a local computer using asi-dev user credentials

Make sure the AWS CLI is configured with asi-dev credentials on your local machine or from wherever you are trying to access the S3 bucket
Run the below command to assume the production role and generate temporary credentials
Refer to the following link for more details — https://aws.amazon.com/premiumsupport/knowledge-center/iam-assume-role-cli/

aws sts assume-role --role-arn "arn:aws:iam::<asi-production-account-no>:role/readonly-asi-production-bucket-role" --role-session-name "readonlys3crossaccount"

Set up the temporary credentials generated from the previous step

export AWS_ACCESS_KEY_ID=RoleAccessKeyID 
export AWS_SECRET_ACCESS_KEY=RoleSecretKey 
export AWS_SESSION_TOKEN=RoleSessionToken

Test the access using the below command

aws s3 ls s3://asi-production-bucket/

You should be able to list all the files present in the S3 bucket

Summary

In this blog, I walked you through the steps to Delegate access across AWS accounts using IAM roles

If you have any questions, please feel free to connect with me on LinkedIn

If you find this article helpful please feel free to clap!
Cheers!!