Can IAM permission policy used to allow access to cross account resource?

1
votes

My understanding is,

Service control policy and resource based policies are mainly used to allow/deny cross account access to resources.

From the policy evaluation procedure explained here, I learned that IAM permission policy(managed or inline) is used to grant/deny permissions to Principal within an AWS account.

{
 "Version": "2012-10-17",
 "Statement": [

     {
         "Action": "sts:AssumeRole",
         "Resource": "arn:aws:iam::*:role/Somerole",
         "Effect": "Allow"
     }
 ]
}

But above is the IAM permission policy, written to grant permissions to Principal in the source account, to have access(sts::AssumeRole) to other account resources(Somerole).

Can IAM permission policy be defined to allow Principal in source AWS account get permissions(sts:AssumeRole) to access resources(Somerole) that are present in other accounts(*:role)? In our case Principal is an IAM role in the source AWS account.

1
amazon-web-servicesamazon-iam
"I learned that IAM permission policy (managed or inline) is used to grant/deny permissions to Principal within an AWS account." I'm not sure you can justify this assertion based on her presentation. - Michael - sqlbot

1 Answers

2
votes

The other account would need to have granted access to the account. The role in the other account would need a trust relationship similar to this (often it has conditions added to it as well):

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::<AccountId_A>:root"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

This example assumes that is the account you are granting the IAM permission in.