Consider 2 AWS accounts A ( Other team ) and B ( Mine )
For my use case, I have to poll to queues in A's AWS account for payload and perform database operations in B.
To do this, I have a role created in B having access to my databases + A's account ID as trusted relationship.
Likewise A has created a role for granting access to queue in A + added B as trusted relationship.
Code for doing all the polling + database action will reside on EC2 in my account ( B ).
Now how do I consume payloads and perform operations from a role's perspective. Is my understanding correct?
Assume role A
Poll to provisioning queue, get the JSON payload from SQS
Assume role B
Perform database operations in Oracle RDS
Assume role A
Return back the response to response SQS
Start polling again on provisioning queue SQS
FYI : I am performing the above operations using Python + Boto3
Instead of assuming roles, you can grant Cross-Account access to the queues in Account A to the user/role in Account B.
In your case, grant it to EC2 instance role and then you'll be able to do all the required operations from within the instance without any "Assume role" tricks.
You don't say which programming language or SDK you are using, but essentially you can create two client/service objects, one leveraging credentials from role A and the other from role B. Then simply make API calls using the appropriate client/service object.
Using boto3, for example:
sqs_accounta = boto3.client(
'sqs',
region_name='us-east-1',
aws_access_key_id=xxx,
aws_secret_access_key=yyy,
aws_session_token=zzz
)
rds_accountb = boto3.client(
'rds',
region_name='us-west-2',
aws_access_key_id=aaa,
aws_secret_access_key=bbb,
aws_session_token=ccc
)
Pretend for a moment that everything was happening in your own account (Account-B).
You would give a set of credentials to your code (either an IAM User or, if the code is running on an Amazon EC2 instance, you would assign an IAM Role to the instance) that it can use to access the necessary resources in Account B. So, no problem there.
The only additional requirement is that you wish to access Amazon SQS in Account-A. It so happens that you can add permissions directly to an Amazon SQS queue that grants cross-account access.
See: Basic Examples of IAM Policies for Amazon SQS - Amazon Simple Queue Service
So, you do not actually need to assume any roles. Just use the normal credentials that are assigned to your code, and add permissions to the SQS queue to allow that particular IAM User or IAM Role to use the queue.
Related
I have two accounts A and B. I have a service in Account B that writes its logs to CloudWatch. In account A I have a AWS lambda that periodically needs to run a CloudWatch insights query to retrieve logs that match a pattern.
I can't seem to find a way to setup permissions for this or how to make a cross account cloud watch query from Lambda in Account A to CloudWatch logs in Account B. Is this even possible? If so, how?
You can do it, using cross-account access IAM role, assuming the role from the B account.
A good detailed explanation with examples can be found here.
Essentially, you have to assume a role from account B which allows your Lambda function in account A to access certain resources in account B. In the trust policy of the IAM role your AWS account A ID has to be set, so your Lambda can access resources based on what the account B policy allows.
We have an AWS account with an IAM group, this group contains practically 6 users and most operations in the account are done by this 6 users.
There are 12 Lambda Functions that have been created in the account and there is a particular lambda function (created by one of the 6 users) that I am trying to know who created it (The Lambda function owner).
Please is there a way to do this ?
Resources created in AWS Accounts are associated with the Account, not the IAM User that created the account.
When a user requests AWS to create resources, IAM verifies that the user has permission to create resources. If so, then the resources are created in the Account, but no relationship with the user is kept on that resource.
You can, however, use AWS CloudTrail to view information about the API request that created the resource.
From What Is AWS CloudTrail? - AWS CloudTrail:
AWS CloudTrail is an AWS service that helps you enable governance, compliance, and operational and risk auditing of your AWS account. Actions taken by a user, role, or an AWS service are recorded as events in CloudTrail. Events include actions taken in the AWS Management Console, AWS Command Line Interface, and AWS SDKs and APIs.
Started recently understanding AWS IAM Roles, Groups, Roles and Permissions.
I understood that groups will be added with some Permissions and whoever the users got added into that group, will have an access to those specific AWS services provided in that group. Where as Role is used to provide an access from one Service to Other. (Say Lambda wants to have an access for CloudWatch).
My Query is: Suppose if Group (say 'dev') have added only 2 Permissions policy (say S3FullAccess, LambdaFullAccess)
and Role created for Lambda Service (having Permission policy "cloudwatchFullAccess"), then does a user from 'dev' group can able to access 'cloudwatch' service?
EDIT:
Another query: I didnt understood on How do we map Users/Groups to only specific Roles? orelse does Roles can be accessed by every user/group (assuming Permission policies already added in Groups of those services mentioned in the Roles)? Please clear me this too
The permissions from the role are only allowed by a principal (IAM user/IAM role/AWS Service) that has assumed the role. If your user had the permission to assume that IAM role and did it, then yes they would have those permissions.
However based on the policies they have they cannot assume the role, but Lambda (assuming it has a trust policy in place) can assume the IAM role in question.
This means that Lambda can perform any CloudWatch interactions, which would allow a user within the dev group to add code that interacts with CloudWatch within the Lambda function and then when triggering the Lambda function see the output of it.
They would not however be able to see the CloudWatch interface within the console, or directly interact with it on the AWS CLI.
To explain the difference between users, groups and role:
An IAM user is an entity with which you can interact directly through the console or CLI. It requires credentials to perform these interactions and gains its permissions from policies. It is generally advised not to use these for applications that reside in AWS.
An IAM group is an entity to group similar IAM users, providing them the same permissions. This allows a hierarchy to be easily maintained. No entity can become a group, it is an assignment to an IAM user.
An IAM role is similar to a user, in that it can interact with the console or CLI. However, to do this it must be assumed, which will provide the entity that assumed it with temporary credentials. An AWS service that assumes the role manages these temporary credentials for you.
For a user to assume the role, 2 things would need to be in place. The role would need to have a trust policy that enables the principal of the IAM user (or account) to assume that role. In addition the user would need to have permission to perform the sts:AssumeRole action on the IAM role resource.
More information about this can be found in the Granting a User Permissions to Switch Roles
documentation.
We’re trying to implement Redshift with authentication via SAML.
In our case, we have many AWS accounts and the Redshift cluster is in one of them. We need to viabilize the access via roles from these accounts to the one that hosts the cluster. Discarding the necessity of having to manage user/password.
The way we implemented it’s already possible to login using IAM roles, but we still need the cross-account.
Does anyone knows if it's possible ?
Since you already have signin working with IAM roles, the process would be:
Amazon Redshift in Account-A
IAM Role (Role-A) in Account-A that has:
Permission to access Redshift via IAM (I think it's just permission to call GetClusterCredentials?)
A Trust Policy allowing the Role to be assumed by specified other accounts (or specific roles in those accounts)
Other accounts wanting to access Redshift will:
Call AssumeRole() to assume Role-A
Use the returned temporary credentials to access Redshift using Role-A
Thus, Redshift only ever sees a login being requested from Account-A.
This page shows how to send an email using SES. The example works by reading the credentials from ~/.aws/credentials, which are the root (yet "shared"??) credentials.
The documentation advises in various places against using the root credentials.
Acquiring temporary credentials
using roles is mentioned as an option, yet assume_role() is not defined for SES client objects.
How do I send an email through SES with temporary SES-specific credentials?
Update
The context for my question is an application running on an EC2 instance.
There are a few pieces to this.
First you need an IAM policy. You can use one of the built-in policies, such as AmazonSESFullAccess or you can create your own. The holder of a particular policy will be able to access the resources and actions defined in the policy. You can create this policy manually, or work through the AWS console and it will walk you through it. IAM --> Policies --> Create Policy
Secondly, you will need a role. Also, easily done in the console. IAM --> Roles --> Create role. Trusted entity is AWS service. Highlight EC2. In the next screen, select the policy you want to associate with this role. This is the policy you created above. If your EC2 already has a role, then you can add the IAM policy to this role. Assigning an IAM policy to a role, is what they refer to as a trust policy.
Now any code that runs on your EC2 instance will be able to send messages to your SES service. The EC2 assumes the role assigned to it. And the SES policy is defined for that role. This will allow EC2 to get temporary credentials (behind the scenes).
The back story is as follows. Any API call to an AWS service needs to have a key and secret. When you make API calls from your local computer, you may use your personal key and secret (or even root ones). When you need to make API calls from another service, you do not have that key and secret. It would not be secure or practical to store the credentials on an EC2. Or even worse, in an S3 bucket. That is why AWS came up with the Role concept. Roles can request temporary credentials from an internal service called Simple Token Service (STS). A role is attached to an EC2 instance for example. And if the right policy is attached to that role, the EC2 instance can request to get temporary credentials to make an API call to another service. All of this happens behind the scenes.
Two options...
You could create IAM User credentials with the appropriate permissions and put them in the ~./aws/credentials file. Then your application will find them and use them to connect with Amazon SES.
Or, your application could use a set of IAM User credentials to call assume_role() (which is an IAM command). This will return a set of temporary credentials that could be used with Amazon SES. However, if you are going to provide a set of credentials that will be used to call assume_role(), then you may as well just use those credentials directly with Amazon SES.
An IAM User can be used for people OR applications.