IAM role to access services of another AWS account

0
votes

For security reasons, we have a dev, QA, and a prod AWS account. We are using IAM roles for instances. This is working correctly per account basis.

Now the recruitment here is we want to access multiple aws services {such as S3, SQS, SNS, EC2,etc.} on one of EC2 instance of QA account from Dev aws account.

We have created STS policy and role allowing Trusted entities as another AWS account, but somehow not able to attach this role to EC2 instance.

Example STS policy: 

{
"Version": "2012-10-17",
"Statement": {
    "Effect": "Allow",
    "Action": "sts:AssumeRole",
    "Resource": "arn:aws:iam::546161XXXXXX:role/AdminAccessToAnotherAccount"
   }
}

AdminAccessToAnotherAccount: This aws policy on another account with admin access.

This role is not listed while attaching to the ec2 instance.

1
amazon-web-servicesamazon-s3amazon-ec2amazon-iamamazon-sns
Could you please Edit your question and clarify what you have configured? Indicate what you have created and in which account you created it. For example, "a Role in the QA account configured with a Trust Policy", and show the policy.John Rotenstein
@JohnRotenstein I think part of the confusion may be an assumption that if account B allows account A to assume this role, then this role (in account B) would be usable as an instance role in account A... which is not exactly how I believe it's intended to work... the instance role would need to be a native role in account A, which would be used by code on the instance to call AssumeRole in STS and access account B's resources with the credentials that returns... I'm not aware of a shortcut.Michael - sqlbot
Is the above Trust Relationship in the remote account / current account? The problem is that you need to have ec2.amazonaws.com also in your trust relationship for the role to be attached to the EC2 instance.krishna_mee2004
Trust Relationship is in the current account. Tried this as well but no success. ` { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "ec2.amazonaws.com"}, "Action": "sts:AssumeRole", "Resource": "arn:aws:iam::413985601798:role/AccessAndorraSandbox" } ] }`beginnertopython
@JohnRotenstein This role we have created in QA account. AdminAccessToAnotherAccount This policy is in DEV account. We are trying to access AdminAccessToAnotherAccount policy by creating STS in QA account.beginnertopython

1 Answers

5
votes

It appears that your situation is:

  • You have an EC2 instance in Account-1
  • An IAM Role ("Role-1") is assigned to the EC2 instance
  • You want to access resources in Account-2 from the EC2 instance

The following steps can enable this:

  • Create an IAM Role in Account-2 ("Role-2") with the permissions you want the instance to receive
  • Add a Trust policy to Role-2, trusting Role-1
  • Confirm that Role-1 has permission to call AssumeRole on Role-2
  • From the EC2 instance using Role-1, call AssumeRole on Role-2
  • It will return a set of credentials (Access Key, Secret Key, Token)
  • Use those credentials to access services in Account-2 (via aws configure --profile foo or an API call).
    • If use aws configure, you will also need to manually edit the ~/.aws/credentials file to add the aws_session_token to the profile, since it is not requested by the CLI command.

Examples: