I just created a new account in my organization and I provided a custom IAM role.
The problem is that I can't find the role in IAM, I remember then name and in any case there are few roles there so I can check.
I double checked in cloud trail the IAM role name, and I search for it in IAM and I still can't find it.
Is there something I'm missing or some workaround?
Background:
According to the documentation:
How can I access an AWS account that was created in my organization?
As part of AWS account creation, AWS Organizations creates an IAM role
with full administrative permissions in the new account. IAM users and
IAM roles with appropriate permissions in the master account can
assume this IAM role to gain access to the newly created account.
Update:
The steps of the link below also helped me understand the issue
https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html
As per the documentation, the role is created in the New account. You can assumeRole by sts service to the role from the master account, so this is the reason you cannot find the role in your account.
You first assumeRole and then you can do the administrative job for the new account. You can log in through this link with your role and account.
https://signin.aws.amazon.com/switchrole?roleName=<roleName>&account=<newAccountId>
Be aware that you should be logged in to your master account first. Replace <roleName> and 12-digits <newAccountId> for yours.
Related
I am using metricbeat to monitor metrics from a few AWS accounts. I have read through the doc: https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-module-aws.html
it says to configure the credential as environment variables or in aws credential file. But I'd like to use cross account IAM policy to access different AWS account. That means metricbeat needs to assume a role when it tries to query metrics. How can I achieve this in metrcibeat? I can't find related doc in their document.
So you can specify the IAM Role like this
Metricbeat Configuration Params
metricbeat.modules:
- module: aws
period: 300s
metricsets:
- ec2
role_arn: arn:aws:iam::123456789012:role/test-mb
I would say there is nothing like Cross Account Policy.
Your role has permissions based on the policies you assign to it via IAM Policies.
When you wanna use Cross-Account IAM Roles, you still have to assign IAM Policies on the role you create in the destination account + an IAM Trust Policy as well so that you can assume the role from another account, In addition to that your source IAM Role must have permissions to assume the destination IAM Role
IAM Role Delegation
How to use trust policies with IAM roles
IAM Tutorial: Delegate access across AWS accounts using IAM roles
Suppose, I am AWS IAM user, is there any way so that I can check what resource permission has been given to me, using CLI or Console.
Unfortunately, there is no comprehensive tool for that. In IAM console you can only check your user's IAM profile or group permission you belong to.
But full set of privileges is a very complex thing to get. Apart from obvious IAM user or group permissions you can have:
IAM roles which you can assume,
resource policies which you are listed as a principle (e.g. bucket policy, kms key policy),
resource policies where a role you can assume is a principle,
cross-account permissions in IAM roles or resource policies,
AWS Organization level SCP permissions.
If the reason for asking this question is related to security, e.g., to check what resources were accessed by a compromised IAM user credentials, you suspend the credentials or delete the user. Also can inspect the CloudTrial history to check what resources a given IAM user accessed.
After setting up AWS Organizations, I created a member account with a custom IAM role name. I've now forgotten the role name used and I'm unable to assume role as root into that account. I need to create IAM users in the member account but without the ability to assume role using the custom OrganizationAccountAccessRole it seems I'm unable to.
I've tried getting access by
Using the member account root user but it doesn't have permissions to IAM
Signing in to member account using AWS SSO user with IAMFullAccess and AdministratorAccess policies attached to the policy set but user cannot access IAM.
Attempting to describe member account using the master account admin user but the role isn't there
At this point, I'm thinking the only way out is to recreate the member account. Please tell me there is a better way.
UPDATE:
- Found that 1 & 2 didn't work because of a restrictive Service Control Policy (SCP) on the account which didn't include IAM access permissions.
Based on the comments.
The solution was to inspect CloudTrial logs to find the API call used to create the role.
I have a cloudfront, let's say in Account A and I want to access this cloudfront from a build server which is in another AWS account let's say in Account B with IAM Role.
How to give a IAM role access(Account B) to that cloudfront which is in Account A.
Note: Please consider Role not IAM user.
Overview of Managing Access Permissions to Your CloudFront Resources
An AWS account owns the resources that are created in the account,
regardless of who created the resources. Specifically, the resource
owner is the AWS account of the principal entity (that is, the root
account, an IAM user, or an IAM role) that authenticates the resource
creation request.
The following examples illustrate how this works:
Attach a permissions policy to a role (grant cross-account
permissions) – You can grant permissions to perform CloudFront actions
to a user that was created in another AWS account. To do so, you
attach a permissions policy to an IAM role, and then you allow the
user in the other account to assume the role. The following example
explains how this works for two AWS accounts, account A and account B:
Account A administrator creates an IAM role and attaches to the role a
permissions policy that grants permissions to create or access
resources that are owned by account A.
Account A administrator attaches a trust policy to the role. The trust
policy identifies account B as the principal that can assume the role.
Account B administrator can then delegate permissions to assume the
role to users or groups in account B. This allows users in account B
to create or access resources in account A.
For more information about how to delegate permissions to users in
another AWS account, see Access Management in the IAM User Guide.
I am looking to use AWS STS to access resources from another AWS account owned by another team.
say, AWS Account A trying to access AWS Account B.
basically the steps I am following:
1. Create a user in Account A
2. Create Role in Account B with the necesaary permissions
3. Add assume role permissions for user in Account A
4. Use User credentials to get temporary credentials for Account B.
5. Use temp credentials on Account B.
But, after reading through a ton of AWS docs, I am unable to figure out which account gets billed for the cross account API calls?
When you use AssumeRole to grant access to another Amazon account (account B), your identity switches to the other account with the username being the role name that you assumed.
The only cross account API being called will be AssumeRole. After this succeeds you will be using the APIs using account B's temporary credentials that were returned from AssumeRole.
All ownership, billing, etc. will be the same as if you had originally logged into account B as a normal IAM user except for the user name.
CloudTrail records STS type calls such as AssumeRole and logs all authenticated API requests. Once AssumeRole succeeds, your activity (using the temporary credentials) will be logged by CloudTrail in account B. This assumes of course that CloudTrail is enabled.
This link will give you more details into the user identity that AWS uses when using AssumeRole.
CloudTrail userIdentity Element
When you create a role for cross-account access, you establish trust from the account that owns the role and the resources (trusting account) to the account that contains the users (trusted account). To do this, you specify the trusted account number as the Principal in the role's trust policy. That allows potentially any user in the trusted account to assume the role. To complete the configuration, the administrator of the trusted account must give specific groups or users in that account permission to switch to the role.
Link
As everyone has mentioned a user from the account A is just assuming a role in account B to temporary access resources in account B,ownership stays still and the owner pays for the resources he owns. In this case it is the account B who pays. STS is the service being used to assume a role and is part of IAM.
The following was taken from IAM FAQ.
Q: How do I assume an IAM role?
You assume an IAM role by calling the AWS Security Token Service (STS) AssumeRole APIs (in other words, AssumeRole, AssumeRoleWithWebIdentity, and AssumeRoleWithSAML). These APIs return a set of temporary security credentials that applications can then use to sign requests to AWS service APIs.
Q: How many IAM roles can I assume?
There is no limit to the number of IAM roles you can assume, but you can only act as one IAM role when making requests to AWS services.
Q: Who can use IAM roles?
Any AWS customer can use IAM roles.
Q: How much do IAM roles cost?
IAM roles are free of charge. You will continue to pay for any resources a role in your AWS account consumes.