Linux | Cloud | DevOps | Scripting

Breaking

AWS Cross Accounts Access Using IAM Roles


There are two things TRUSTING ACCOUNT and TRUSTED ACCOUNT in which we could confuse. So, first, understand this.

AWS Cross Accounts Access Using IAM Roles
Fig: AWS Cross Accounts Access Using IAM Roles

Trusting Account: 

Trusting Account means the company which has trust in another company and providing some users of a trusted company to perform some specific tasks.

Trusted Account: 

Trusted Account means the company, which is trusted by another company.

Suppose, you want to access some resources of your friend’s account (for e.g. you want to access IAM and S3 by your friend’s AWS account). As he is allowing you to access to his account; his account is TRUSTING ACCOUNT and as you are trusted by him, so, your account is TRUSTED ACCOUNT.

In other words, we can say that the account which is providing services to access is known as TRUSTING ACCOUNT and the account which is using services is known as TRUSTED ACCOUNT.

For example; you have your own AWS account as 'user1' which have account ID '123456789012' (Trusted Account) and your friend has another AWS account as 'frnd1' which has account ID '987654321098' (Trusting Account).

In your company whose root user is 'user1' there are some users who want to access your friend’s account. We will add all of them in a group named 'POC'.

Your friend’s account needs to provide some limited access to the users of your company without sharing any username, password, access key, and secret access key. For this, he will use Roles.

Types of Role:

1. Service Link Role (we have used in Replication)
2. Service to service Role (e.g. ec2 to s3)
3. Cross Account Role (users from other AWS accounts)
4. Federation Based Role (allow access to AD users or LDAP users)

Here, your friend needs to use Cross-Account Role.

PRACTICAL:

Make sure for this practice, we are going to use two browsers, For example:

IN CHROME, LOGIN WITH YOUR OWN AWS ACCOUNT and
IN MOZILLA FIREFOX, LOGIN WITH YOUR FRIEND’S AWS ACCOUNT

First, we are working with TRUSTING ACCOUNT (which is your friend’s account in Mozilla Firefox):

Create a Cross Account Role:

AWS  Services  IAM  Roles  Create Role  Another AWS Account  Account ID: Trusted Company's Account Number (in this e.g. your account number) ➔ Next Permission  S3ReadOnly + EC2ReadOnly  Next: Tags  Next: Review  Role Name: my_cross_account_role  Create Role.

Verify that the role is created. Copy this new created Role Name and Role ARN to the notepad.

Now, Trusting part is done.

Second, we will work with TRUSTED ACCOUNT (which is your own account in Chrome):

Create a User:

AWS  Services  IAM  Users  User Name: Sandy  Access Type: AWS Management Console access  Console password: Custom Password: redhat  Untick Require password reset  Next: Permission  Next: Tags  Next: Review  Create User  Close.

Create a Group:

AWS  Services  IAM  Groups  Create New Group  Group Name: POC (Proof of Concepts)  Next Step  Next Step  Create Group.

Add Selected Users to this Group:

AWS  Services  IAM  Groups  POC  Users  Add User to Group  [*] sandy  Add User.

Create a Policy:

AWS  Services  Create Policy  Choose a Service: STS (Secure Token Service)  Actions: Access Level  Expend All  [*] Assume Role  Resources: Specific  Add ARN  Account: ARN of TRUSTING ACCOUNT’s Role  Add  Review Policy  Name: AssumeRolePolicy  Create Policy.

To Create a Policy
Fig: To Create a Policy

Attach this policy to the Group (POC):

AWS  Services  IAM  Policies  Search and select AssumeRolePolicy  Policy Usage  Attach  Attach to group POC  Attach Policy.

TO VERIFY:

Copy URL from Dashboard of Trusted Account and run it on browser and login in AWS by user sandy.

Go to the username as the third last option of menu bar  Switch Role  Account: Trusting Company’s Account Number  Role: Trusting Company’s Role Name  Switch Role  ACCESS GRANTED as RoleName@AccountNumber.

Enjoy!



No comments:

Post a Comment

Pages