There is an AWS account A, which has a resource X managed by policy Pax. It adds the second AWS account B to a role which attaches the policy Pax, let's call this role Rax. Now within the AWS account B, I create another policy for assuming role Rax, let's call it Pbrax and added it to a role RPbrax where the Principal is an AWS account C.
When I try to access the resource X via the account C, I get access denied. I cannot touch anything in AWS account A, but in B and C.
Role permissions are not cumulative.
This means the history of the role chaining doesn't help you - the principal in account C needs to have its own access to the resources in account X if needs to access them.
Related
Was trying to start a session[terminal] via ssm on an instance in another account. using command
aws ssm start-session --target i-yyyaf4692d801d1xx --region ap-south-1
but it was failing with response as "Target is not connected".
we get this response when the instance is usually not found in the inventory of Systems Manager. - which i can't add, as the instance is in another account
END Goal: I wish to use users created in Account A to be able to start sessions on instances on Account B. both part of the same organisation.
Also,
my user has appropriate permissions have verified it through IAM Simulator
it seems instance IDs are unique and associated to one account only.
the instance is accessible by local users in that account.
[update 9th Jan 2023]
Thanks for the responses, its clear that IAM Role[with assume role sts] suffices the request conditions.
But i was looking for some seamless method, where we dont need to generate temporary credentials and use them for access each time.
May be a script to do this task or something would do. As IAM Principal: Users need to generate temp creds manually which is not the case with IAM Roles
You need to delegate access between the accounts. You can do this by creating a role in the target account which is allowed to assumed by users in the other account.
Setup the access:
Create an IAM role with necessary IAM permissions to access the instances in the target account (account B)
Create a trust relationship on the role in the target account to trust the appropriate principals (users or roles) in the source account (account A).
Grant the appropriate principals (users or roles) in the the source account (account A) permission to call the sts assume-role API for the role in the target account (account B)
Use the access:
From your user profile or role in account A, call the sts assume-role API to obtain credentials for the role you created in account B.
Use the credentials returned by the sts assume-role call in order to call the API using the identity assumed in account B to access the resources.
See: cross-account IAM access for more details.
Account A 1234567890 has granted account B 0987654321 access to an a bunch of AWS services through a certain role:
arn:aws:iam:1234567890:role/bunch_of_access
And there's another account C that is owned by the same owner as B that needs the same role access but can't get it through account A.
Is there a way for account B to allow account C to also use the arn:aws:iam:1234567890:role/bunch_of_access role?
Or is there a way to create a new role that let account C access root role from account B to get the access to arn:aws:iam:1234567890:role/bunch_of_access ?
Yes, you can do this with role chaining.
An entity in account C can assume a role in account B, and then using the assumed role it can assume the required role.
More on role chaining: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html
So this is what i want to do -
I have 3 different accounts - account A, account B and account C.
I start in a role in account A. This role is allowed to assume another role in account B. This role in account B is allowed access to describe s3 buckets in account C.
This is where my question comes in. Will i be able to describe the buckets in account C by first assuming a role in account B. Then using this credential, assume a role in account C to describe 3 buckets?
I was thinking of possibly using STS twice. Would this be viable ? i do realise this was possible with two accounts in another question. But would this be possible from three different accounts ?
something like the example in this question would work ?
How to assume an AWS role from another AWS role?
My doubt comes to the place where would the account is being sent to account C be that of account A or account B?
Account C currently has the role to allow only account B to assume it. And account B has a role that only allow account A to access it.
Yes. You can assume a role from an assumed role.
Account C would have a role that trusts account B. Account B would have a role that trusts account A.
Each role would also have to have permissions for sts:AssumeRole on the role that account is assuming.
Account A's role can sts:AssumeRole on Account B's role, and trusts EC2 or your IAM user or whatever.
Account B's role can sts:AssumeRole on Account C's role, and trusts Account A.
Account C's role can s3:ListBuckets and trusts Account B.
When you assume a role, you give up your current identity and permissions and assume a new identity and new permissions - not additional permissions.
If your goal is to have access to three buckets, then your assumed role needs access to those three buckets.
I am looking to use AWS STS to access resources from another AWS account owned by another team.
say, AWS Account A trying to access AWS Account B.
basically the steps I am following:
1. Create a user in Account A
2. Create Role in Account B with the necesaary permissions
3. Add assume role permissions for user in Account A
4. Use User credentials to get temporary credentials for Account B.
5. Use temp credentials on Account B.
But, after reading through a ton of AWS docs, I am unable to figure out which account gets billed for the cross account API calls?
When you use AssumeRole to grant access to another Amazon account (account B), your identity switches to the other account with the username being the role name that you assumed.
The only cross account API being called will be AssumeRole. After this succeeds you will be using the APIs using account B's temporary credentials that were returned from AssumeRole.
All ownership, billing, etc. will be the same as if you had originally logged into account B as a normal IAM user except for the user name.
CloudTrail records STS type calls such as AssumeRole and logs all authenticated API requests. Once AssumeRole succeeds, your activity (using the temporary credentials) will be logged by CloudTrail in account B. This assumes of course that CloudTrail is enabled.
This link will give you more details into the user identity that AWS uses when using AssumeRole.
CloudTrail userIdentity Element
When you create a role for cross-account access, you establish trust from the account that owns the role and the resources (trusting account) to the account that contains the users (trusted account). To do this, you specify the trusted account number as the Principal in the role's trust policy. That allows potentially any user in the trusted account to assume the role. To complete the configuration, the administrator of the trusted account must give specific groups or users in that account permission to switch to the role.
Link
As everyone has mentioned a user from the account A is just assuming a role in account B to temporary access resources in account B,ownership stays still and the owner pays for the resources he owns. In this case it is the account B who pays. STS is the service being used to assume a role and is part of IAM.
The following was taken from IAM FAQ.
Q: How do I assume an IAM role?
You assume an IAM role by calling the AWS Security Token Service (STS) AssumeRole APIs (in other words, AssumeRole, AssumeRoleWithWebIdentity, and AssumeRoleWithSAML). These APIs return a set of temporary security credentials that applications can then use to sign requests to AWS service APIs.
Q: How many IAM roles can I assume?
There is no limit to the number of IAM roles you can assume, but you can only act as one IAM role when making requests to AWS services.
Q: Who can use IAM roles?
Any AWS customer can use IAM roles.
Q: How much do IAM roles cost?
IAM roles are free of charge. You will continue to pay for any resources a role in your AWS account consumes.
I have two AWS account (A and B). On my account A, I have a lambda function which need to access to resources of account B.
Precisely, my lambda on my account A, need to update a record in a Route53 zone hosted on my account B.
Contrary to S3, I don't see any resource access policy in Route53. So I'm a bit lost.
I tried to play with IAM cross account roles, but that does not seems to work with lambda.
How can I allow a lambda function on an account A to access resources of my account B?
You can create a Role in account B and permit your User (in account A) to assume it.
Create a Role in account A that will be used by your AWS Lambda function.
Create a Role in account B with a role type of Role for Cross-Account Access. Assign the desired permissions to use Route 53 in account B. Also add permissions for the Role in account A to call AssumeRole on this role.
The Lambda function in account A can then call AssumeRole on the role in account B. This will return a set of temporary credentials that can be used to access Route 53 in account B.
See:
Tutorial: Delegate Access Across AWS Accounts Using IAM Roles
Creating a Role to Delegate Permissions to an IAM User
Here's a picture from the Tutorial: