Delegate Access Across AWS Accounts Using IAM Roles

Prerequisites

  • We assume that you have the following already in place:
    • Two separate AWS accounts that you can use, one to represent the Main account, and one to represent the Sub account.

Step 1 : Create Role

  • Before you can create a role, you need the account ID of the Sub AWS account.
    • To Obtain the Sub AWS account ID Sign in to the AWS Management Console as an administrator of the Sub account, and In navigation bar, choose Support, and then Support Center. The Account Number is in the upper right corner immediately below the Support menu.

To create a role in the Main account that can be used by the Sub account

  1. Sign in to the AWS Management Console as an administrator of the Main account, and open the IAM console.
  2. Before creating role, prepare the managed policy as per your requirement.You attach this policy to the role in later step.AWS also provide the policy and if you don’t want to use that policy you can create your own policy as well
  3. In the navigation pane on the left, choose Roles and then choose Create role.

screenshot-console.aws.amazon.com-2017-10-25-10-54-03.png

  1. Choose the Another AWS account role type
  2. For Account ID, type the Sub account ID.

screenshot-console.aws.amazon.com-2017-10-25-10-59-35.png

  1. Choose Next: Permissions to set the permissions that will be associated with the role. And apply policy as per your requirement Then choose Next: Review.

screenshot-console.aws.amazon.com-2017-10-25-11-12-59.png

  1. Type CrossAccount(as per your need) for the role name.
  2. For Role description, type a description for the new role.
  3. After reviewing the role, choose Create role.

screenshot-console.aws.amazon.com-2017-10-25-11-15-08.png

To obtain the ARN for CrossAccount Role

  1. In the navigation pane of the IAM console, choose Roles.
  2. In the list of roles, choose the CrossAccount role.
  3. n the Summary section of the details pane, copy the Role ARN value.

At this point, you have established trust between the Main and Sub accounts by creating a role in the Main account that identifies the Sub account as a trusted principal

Step 2 – Grant Access to the Role

At this point, All users have permissions that allow them to freely test applications in the Sub account. Here are the steps required to add permissions to allow switching to the role.

To modify the Permission of Users(Sub account) to allow them to switch to the CrrossAccount role

  1. Sign in as an administrator in the Sub account, and open the IAM console.
  2. Choose Users, and then choose cross-user(User name).

screenshot-console.aws.amazon.com-2017-10-25-11-52-11.png

  1. Choose the Permissions tab, expand the Inline Policies section

screenshot-console.aws.amazon.com-2017-10-25-12-04-35.png

  1. Choose Custom Policy and then choose Select button.

screenshot-console.aws.amazon.com-2017-10-25-12-10-02.png

  1. Type a policy name like cross-account-assume-role.
  2. Add the following policy statement to allow the AssumeRole action on the CrossAccount role in the Main account. Be sure that you change Main-ACCOUNT-ID in the Resource element to the actual AWS account ID of the Main account.

{

“Version”: “2012-10-17”,

“Statement”: {

“Effect”: “Allow”,

“Action”: “sts:AssumeRole”,

“Resource”: “arn:aws:iam::Main-ACCOUNT-ID:role/CrossAccount”

}

}

  1. Choose Apply Policy to add the policy to the cross-user user

screenshot-console.aws.amazon.com-2017-10-25-12-13-33.png

However, you use Power User permissions, then some Users might already be able to switch roles. The following procedures shows how to add a “Deny” permission to the Other Users to ensure that they cannot assume the role

To modify the User to deny permission to assume the CrossAccount role

  1. Choose Users, and then choose User Name.
  2. Choose the Permissions tab, expand the Inline Policies section
  3. Choose Custom Policy and then choose the Select button.
  4. Type a policy name like denyassumerole
  5. Add the following policy statement to deny the AssumeRole action on the CrossAccount role. Be sure that you change Main-ACCOUNT-ID in the Resource element to the actual AWS account ID of the Production account.

{

“Version”: “2012-10-17”,

“Statement”: {

“Effect”: “Deny”,

“Action”: “sts:AssumeRole”,

“Resource”: “arn:aws:iam::PRODUCTION-ACCOUNT-ID:role/UpdateApp”

}

}

  1. Choose Apply Policy to add the policy to the User

The cross-user now has permissions to use the CrossAccount role in the Main account. The Other Users are prevented from using the CrossAccount role.

Step 3 – Test Access by Switching Roles

After completing the first two steps of this tutorial, you have a role that grants access to a resource in the Main account. You also have one User in the Sub account that user is allowed to use that role. The role is now ready to use. This step discusses how to test switching to that role from the AWS Management Console

Switch Roles

If cross-user needs to work with in the Main environment in the AWS Management Console, he can do so by using Switch Role. He specifies the account ID or alias and the role name, and his permissions immediately switch to those permitted by the role. User can then use the console to work as per given permission, but cannot work with any other resources in Production. While cross-user is using the role, he also cannot make use of his power-user privileges in the Sub account. That’s because only one set of permissions can be in effect at a time.

There are two ways that User can use to enter the Switch Role page:

  1. User receives a link from his administrator that points to a pre-defined Switch Role configuration. The link is provided to the administrator on the final page of the Create role wizard or on the Role Summary page for a cross-account role. Choosing this link takes User to the Switch Role page with the Account ID and Role name fields already filled in. All User needs to do is choose Switch Role and User is done.
  2. The administrator does not send the link in email, but instead sends the Account ID number and Role Name values.User must manually enter them to switch roles. This is illustrated in the following procedure.
    1. User chooses his name (the Identity menu) on the navigation bar, and then chooses Switch Role.

screenshot-us-west-2.console.aws.amazon.com-2017-10-25-12-22-44.png

    1. Next, in order to access the role, User must manually type the Main account ID number and the role name (CrossAccount) and then chooses Switch Role.

screenshot-signin.aws.amazon.com-2017-10-25-12-24-55.png

    1. User can now use the resource to which the CrossAccount role has permissions.
    2. When User is done with the work he needs to do, User can return to his original permissions. To do that, he chooses the MAIN role display name on the navigation bar and then chooses Back to cross-user.

screenshot-us-east-2.console.aws.amazon.com-2017-10-25-12-27-36.png

 

Reference link :

http://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html

 

I hope you like this article!!!!!

Thank you..
Aarti Parikh
AWS-team,
Solution Architect,
Electromech Corporation.

Leave a Reply

Your email address will not be published. Required fields are marked *

*