patternMinor
Cross account access from ec2 to other accounts
Viewed 0 times
crossec2accountotherfromaccountsaccess
Problem
Is it possible to run aws cli from ec2 to create some resources in another account without using aws_secret_key and aws_access_key?
Solution
Supposing the scenario with two accounts A & B the explanatory steps should be:
So Let’s check the configurations mentioned above step by step but with some mode detail:
eg:
credit: https://stackoverflow.com/a/55420220/6657158
- In account A, I created a role (e.g
RoleForB) to trust account B, and attach to the before created role a IAM policy to allow it to perform some read operations in account A.e.g ReadOnlyAccess
- In account B, I created a role (e.g
AssumeRoleInA) and attach a policy to allow it to assume the role that is created in account A.
- In account B Associate to your EC2 instance
ec2-profilethe IAM role (AssumeRoleInA) created in step 2.
- In account B login into this EC2 instance to assume the role in Account A using the command
aws sts assume-role --role-arn "arn:aws:iam::Account_A_ID:role/RoleForB" --role-session-name "EC2FromB".
- In account B EC2 terminal when the command is step 4. finished, you can see the access key ID, secret access key, and session token from wherever you've routed it, in our case
stdouteither manually or by using a script. You can then assign these values to environment variables (AWS_ACCESS_KEY_ID,AWS_SECRET_ACCESS_KEY,AWS_SESSION_TOKEN)
So Let’s check the configurations mentioned above step by step but with some mode detail:
- As before presented in account A, it builds the trust to account B by creating the role named
RoleForBand attachingReadOnlyAccesspermission to it.
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Principal": {"AWS": "arn:aws:iam::Account_B_ID:root"},
"Action": "sts:AssumeRole"
}
}- In account B, create a role named
AssumeRoleInAthen attach the correspondingpolicyto allow it to assume the role namedRoleForBin account A.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": [
"arn:aws:iam::Account_A_ID:role/RoleForB"
]
}
]
}- In account B, create a new EC2 instance (if it does not exists yet), and associate it's ec2-profile with the IAM role named
AssumeRoleInA.
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Principal": {"Service": "ec2.amazonaws.com"},
"Action": "sts:AssumeRole"
}
}- In account B login into this EC2 instance to assume the role in Account A using the command:
aws sts assume-role --role-arn "arn:aws:iam::Account_A_ID:role/RoleForB" --role-session-name "EC2FromB"`eg:
jenkins@bb-jenkins-vault:~$ aws sts assume-role --role-arn arn:aws:iam::521111111144:role/DeployMaster --role-session-name "project-dev-jenkins-deploy"
{
"AssumedRoleUser": {
"AssumedRoleId": "AROAJBXGEHOQBXGEHOQ:project-dev-jenkins-deploy",
"Arn": "arn:aws:sts::521111111144:assumed-role/DeployMaster/project-dev-jenkins-deploy"
},
"Credentials": {
"SecretAccessKey": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY",
"SessionToken": "FQoGZXIvYXCUm8iG6/zLdQ7foognvCDpxKP7cRJiZgc...CUm8iG6/zLdQ7foognvCDpxKP7c+OQF",
"Expiration": "2019-03-29T15:41:02Z",
"AccessKeyId": "AKIAI44QH8DHBEXAMPLE"
}
}- In account B EC2 terminal when the command is step 4. finished, you can see the access key ID, secret access key, and session token from wherever you've routed it, in our case
stdouteither manually or by using a script. You can then assign these values to environment variables
$ export AWS_ACCESS_KEY_ID=AKIAI44QH8DHBEXAMPLE
$ export AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
$ export AWS_SESSION_TOKEN=FQoGZXIvYXCUm8iG6/zLdQ...
$ aws ec2 describe-instances --region us-east-1credit: https://stackoverflow.com/a/55420220/6657158
Code Snippets
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Principal": {"AWS": "arn:aws:iam::Account_B_ID:root"},
"Action": "sts:AssumeRole"
}
}{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": [
"arn:aws:iam::Account_A_ID:role/RoleForB"
]
}
]
}{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Principal": {"Service": "ec2.amazonaws.com"},
"Action": "sts:AssumeRole"
}
}aws sts assume-role --role-arn "arn:aws:iam::Account_A_ID:role/RoleForB" --role-session-name "EC2FromB"`jenkins@bb-jenkins-vault:~$ aws sts assume-role --role-arn arn:aws:iam::521111111144:role/DeployMaster --role-session-name "project-dev-jenkins-deploy"
{
"AssumedRoleUser": {
"AssumedRoleId": "AROAJBXGEHOQBXGEHOQ:project-dev-jenkins-deploy",
"Arn": "arn:aws:sts::521111111144:assumed-role/DeployMaster/project-dev-jenkins-deploy"
},
"Credentials": {
"SecretAccessKey": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY",
"SessionToken": "FQoGZXIvYXCUm8iG6/zLdQ7foognvCDpxKP7cRJiZgc...CUm8iG6/zLdQ7foognvCDpxKP7c+OQF",
"Expiration": "2019-03-29T15:41:02Z",
"AccessKeyId": "AKIAI44QH8DHBEXAMPLE"
}
}Context
StackExchange DevOps Q#6787, answer score: 3
Revisions (0)
No revisions yet.