I have a AWS account created under an Organization. Say Account ID : 12345. It is a parent account. Now i have new Role created, Say Account ID : 67890. I have switched my role from parent account to the new one. But when i execute the cloud formation template from AWS cli. It is still trying to create env in my parent account (i.e,12345) instead of the new account.
My question is - How can i execute/create env using CFT from AWS Cli in my new account (ie, 67890) ? or is there a way to specify Account id in which the env should be created ?
You most likely forgot to configure your AWS CLI to use credentials from the linked account. You may create a new profile and specify it when you run the CLI command. Example:
aws configure --profile=account2
aws --profile=account2 cloudformation create-stack ...
If you are unable to setup an IAM credential on Account2, you may try to setup CLI to use the cross-account role you already have. You'll need to manually add the following block to your ~/.aws/config file:
[profile account2]
role_arn = arn:aws:iam::123456789012:role/account2role
source_profile = account1
Replace 123456789012 and account2role with their corresponding values.
Related
We have SSO configured in the main AWS account and we log in to the child AWS account using that SSO link. Now we have created an EKS cluster in the child account but we are not able to view the Node and other resources due to aws-auth config settings. How to check the current role we have assumed in the child account so that we can update the same in the aws-auth configmap of the EKS cluster so that we would be able to see them?
Use the aws cli,
aws sts get-caller-identity --profile <profileName>
will return the assumed role in the form off
"arn:aws:sts:AccountId:assumed-role/RoleName/SSOemail"
and pass the RoleName in --role-name parameter as shown below, this should give you what you ask for.
aws iam get-role --role-name RoleName --profile profileName
Adding some additional info on setting up sso login via your localhost using aws cli, essentially you just need to have aws cli and a configs file that has entries, you can create the configs file on your host and then source it using env variable.
ConfigFile:
[default]
region = region
output = yaml
[profile myProfileName]
sso_start_url =
sso_region =
sso_account_id =
sso_role_name =
region =
output = json
and set env variable to the path of your file that holds the profiles,
AWS_CONFIG_FILE=/path/to/the/config/file
then you can login to you account using
aws sso login --profile myProfileName
and then you will be able to execute the above commands, this is a very neat way to manage and troubleshoot your organization accounts via a single point.
Need to access cross account EC2 describe/start instance API via AWS CLI without configuring access/secret keys in "aws configure".
Assuming that you have default credentials stored for an account (Let's call it dev) but you want to run EC2 describe/start instance API on an instance which is in another account(Let's call it prod) via this account without configuring your prod credentials.
To achieve this you will use an IAM role, which has the EC2:describeInstance access needed in your Prod account. An authenticated user in your Dev account will assume a privileged IAM role in the Prod account with an API call to STS:AssumeRole. This API call will return temporary security credentials that the Dev user’s AWS CLI will automatically use to access resources in the Prod account.
You can set the credentials temporary via environment variables. If you pack this is an bash script, they only last for the execution.
#!/bin/bash
export AWS_ACCESS_KEY_ID=***
export AWS_SECRET_ACCESS_KEY=***
export AWS_DEFAULT_REGION=eu-central-1
aws ec2 <your command>
If you are in a cli of an ec2, best way to do this is to use the IAM role attached to the instance which has permissions ec2:StartInstances and ec2:DescribeInstances for the target ec2.
Followed this link: Enabling cross-account access to Amazon EKS cluster resources
I can make a pod in an Amazon EKS cluster hosted in ci account interact and manage the AWS resources in a target account.
This is the aws config file:
[profile ci-env]
role_arn = arn:aws-cn:iam::CICD_ACCOUNT:role/eksctl-jenkins-cicd-demo-addon-iamserviceacc-Role1-1AQZO394370HE
web_identity_token_file = /var/run/secrets/eks.amazonaws.com/serviceaccount/token
region = cn-north-1
[profile target-env]
role_arn = arn:aws-cn:iam::TARGET_ACCOUNT:role/target-account-iam-role
source_profile = ci-env
role_session_name = xactarget
region = cn-north-1
When I run aws s3 ls --profile target-env, it worked and listed the s3 buckets in my target account.
Then, I want to deploy a cdk app on ci account which can create s3 bucket on target account.
But When I run cdk deploy --profile target-env, it appeared:
Need to perform AWS calls for account TARGET_ACCOUNT, but no credentials have been configured.
I am very confused and don't know how to solve it.
I am a beginner of aws service, thanks advance for helping me!
You need to bootstrap all of your (target) accounts to trust the CICD account.
Otherwise, you would have to create and manage the cross-account access by yourself.
IAM Roles + Policies (in all accounts)
S3 Bucket for artifacts + bucket policies (in CICD account)
Key Management Service -> Customer Managed Key + Policies to allow the target accounts
You can spot here an example architecture, which is applying that:
If it's possible for you, you might switch to the CDK Pipelines.
In this guide, also the bootstrapping (incl. trusting) is being applied and every step/resource mentioned from above is being created and properly configured.
It has a few drawbacks as of now, but it's in developer preview and has a quite decent usability and makes your life a lot easier already.
I want a aws master account, where i can manage other aws accounts/iam users. Is this achievable? I tried with AWS Organizations, but it does not applies for IAM users(Only account level). Please help
You could create a custom role in any account that you have, and the use aws-api to assume this role with an script.
For example, you create the role custom_role in everyaccount that you own.
Then you use aws sdk or cli to assume role
Configure role in credentials profile
[profile custom_role]
role_arn = arn:aws:iam::123456789012:role/custom_role
source_profile = default
Use aws api to create user in the other account
aws iam create-user --user-name user_test --profile custom_role
You could do the same thing through aws sdk (like boto3 in python). If you want to manage all accounts, you could develop some script that automate that work.
I have an ec2 instance configured with an IAM Role to read S3 in its own account. I configured a cross account role in another AWS account that has rights to create S3 buckets. I then gave the role that the ec2 instance is assigned access to the use the cross account role.
When I try to create the s3 bucket, it tries to create it in it's own account. How do I tell the aws cli to create the bucket in the other account?
Refer cross account python script https://blogs.aws.amazon.com/security/post/Tx70F69I9G8TYG/How-to-enable-cross-account-access-to-the-AWS-Management-Console
When you run it you will automatically redirect to cross account AWS Console...and if you don't want to run python script..login through switch role option.
Through cli you must have to run sts command...for example aws sts assume-role --role-arn crossSccountRoleARN --role-session-name "DemoRoleSession" > /tmp/assume-role-output.txt