In this article we will see how we can provide cross-account access in AWS with the help of IAM roles and policies. Let’s quickly discuss all these terms before we dive in and see how everything is done.

A role is a set of permissions that allows access to AWS resources. A user in the same account as the role can use a role or it can be in another AWS account. Also, a role can be used by an AWS service such as an EC2 instance.

VMware Training – Resources (Intense)

A policy defines the permissions of a role. A role has two policies: the trust policy that specifies who can assume the role and the permission policy that specifies what resources can be accessed and what actions can be performed.

The actions and resources access are performed by what is called the principal.

So coming back to the purpose of this article, we will see how the access to the resources from another AWS account that you own can be delegated with the help of the IAM roles. This means that you will be able to share resources from one AWS account with users from another AWS account. Also this is useful because there is no need to duplicate users for the two accounts and also because one user will not have to logout from one AWS account and then sign in to the AWS account. The transition between the two AWS accounts can be done through the means of role switching.

I have two AWS accounts: ACCOUNT 1 (XXXXXXXX1728) and ACCOUNT 2 (XXXXXXXX0222). At the end of the article, a user from ACCOUNT 1 will be able to access specific resources from ACCOUNT 2. The resources to which the user from ACCOUNT 1 has access are enforced through the means of a policy that is attached to the role to which the user can switch.

The high-level view steps to accomplish this are:

  • Create the role
  • Allow user access to the role
  • Switch to a role

We will discuss in greater detail how each of these steps are performed so let’s get this started.

This is ACCOUNT 2 (XXXXXXXX0222):

In this account, I have a S3 bucket that has a file inside. As mentioned, the user from ACCOUNT 1 should be able to access the file from S3 bucket from ACCOUNT 2:

So, go to Identity and Access Management (IAM) in the AWS Management Console of ACCOUNT 2:

Select “Roles” and then “Create New Role”:

Enter the role name and you should write this down, as you will need it later:

In the next step, select “Role for Cross-Account Access” and because we own both AWS accounts, we will choose “Provide access between AWS account you own”:

Enter the account ID of ACCOUNT 1:

Next because we want to provide full access to S3 services, we will assign the predefined policy that allows this:

On the last step, we can review the role. As you can see the role ARN was generated in the form of arn:aws:iam::ACCOUNT2:role/switch-role-for-S3. We will use the ARN later when we will define what the user from ACCOUNT 1 can access on ACCOUNT 2. Click “Create Role” to finish the role creation:

In this moment, we are done with the configuration on ACCOUNT 2.

It is time to move to ACCOUNT 1 configuration. Again go to AWS Management Console IAM section to create the user:

Select “Users” and then start the user creation wizard:

Once the user is created, you need to assign it a password. Select the user and from the “Sign-in Credentials” section, select “Manage Password”:

The next task is to assign a policy to the user that will allow it to switch between roles. From the same IAM section, select “Policies” and then “Create Policy”:

Because we need a customer policy, we will choose to create our own policy:

The policy is this. See how we are referencing the role name that we created inside ACCOUNT 2:

{
    "Version": "2012-10-17",
    "Statement": {
        "Effect": "Allow",
        "Action": "sts:AssumeRole",
        "Resource": "arn:aws:iam::ACCOUNT2:role/switch-role-for-S3" 
    }
}  

Give the policy a name, put the content of the policy and click on “Create Policy”:

The new policy is now part of the list that contains the default policy as well:

Now, let’s assign the policy to the user. Select the user to which you want to apply the policy:

And in the “Permissions” section click on “Attach Policy”:

Filter for your customer policy and click on “Attach Policy”:

Now, it’s time to login with the user created in the ACCOUNT 1. Generally speaking, in order to connect with a user other than the root account, you need to access a link like this https://ACCOUNT_ID.signin.aws.amazon.com/console.

In our case, we need to login to https://XXXXXXXX1728.signin.aws.amazon.com/console.

You need to provide the username and the password:

As you can see below, now I’m logged in as s3-access user for ACCOUNT 1. To switch roles, I need to click on “Switch Role”. As you can see, there is also a history of the role switching:

Once you choose to switch roles, you will need to provide the account ID for ACCOUNT 2, the role name and optionally you can change the display name so it will be easier to figure out what role is currently used. Click “Switch Role” to switch the role:

As you can see, the role is active now based on “Currently active as” information and also the display name is showing this:

Now that this has been done, let’s check if the user has access to the S3 bucket:

And it does. But this was expected. Let’s double confirm by showing that it doesn’t have access to EC2 resources:

No need to say anything else as the warning speaks for them.

And this is how cross-account access is done in AWS. As already said the feature is useful when you want to allow one team to have access to the resources of another team and each team is using different AWS accounts.

Reference