I want a aws master account, where i can manage other aws accounts/iam users. Is this achievable? I tried with AWS Organizations, but it does not applies for IAM users(Only account level). Please help
You could create a custom role in any account that you have, and the use aws-api to assume this role with an script.
For example, you create the role custom_role in everyaccount that you own.
Then you use aws sdk or cli to assume role
Configure role in credentials profile
[profile custom_role]
role_arn = arn:aws:iam::123456789012:role/custom_role
source_profile = default
Use aws api to create user in the other account
aws iam create-user --user-name user_test --profile custom_role
You could do the same thing through aws sdk (like boto3 in python). If you want to manage all accounts, you could develop some script that automate that work.
Related
Need to access cross account EC2 describe/start instance API via AWS CLI without configuring access/secret keys in "aws configure".
Assuming that you have default credentials stored for an account (Let's call it dev) but you want to run EC2 describe/start instance API on an instance which is in another account(Let's call it prod) via this account without configuring your prod credentials.
To achieve this you will use an IAM role, which has the EC2:describeInstance access needed in your Prod account. An authenticated user in your Dev account will assume a privileged IAM role in the Prod account with an API call to STS:AssumeRole. This API call will return temporary security credentials that the Dev user’s AWS CLI will automatically use to access resources in the Prod account.
You can set the credentials temporary via environment variables. If you pack this is an bash script, they only last for the execution.
#!/bin/bash
export AWS_ACCESS_KEY_ID=***
export AWS_SECRET_ACCESS_KEY=***
export AWS_DEFAULT_REGION=eu-central-1
aws ec2 <your command>
If you are in a cli of an ec2, best way to do this is to use the IAM role attached to the instance which has permissions ec2:StartInstances and ec2:DescribeInstances for the target ec2.
Followed this link: Enabling cross-account access to Amazon EKS cluster resources
I can make a pod in an Amazon EKS cluster hosted in ci account interact and manage the AWS resources in a target account.
This is the aws config file:
[profile ci-env]
role_arn = arn:aws-cn:iam::CICD_ACCOUNT:role/eksctl-jenkins-cicd-demo-addon-iamserviceacc-Role1-1AQZO394370HE
web_identity_token_file = /var/run/secrets/eks.amazonaws.com/serviceaccount/token
region = cn-north-1
[profile target-env]
role_arn = arn:aws-cn:iam::TARGET_ACCOUNT:role/target-account-iam-role
source_profile = ci-env
role_session_name = xactarget
region = cn-north-1
When I run aws s3 ls --profile target-env, it worked and listed the s3 buckets in my target account.
Then, I want to deploy a cdk app on ci account which can create s3 bucket on target account.
But When I run cdk deploy --profile target-env, it appeared:
Need to perform AWS calls for account TARGET_ACCOUNT, but no credentials have been configured.
I am very confused and don't know how to solve it.
I am a beginner of aws service, thanks advance for helping me!
You need to bootstrap all of your (target) accounts to trust the CICD account.
Otherwise, you would have to create and manage the cross-account access by yourself.
IAM Roles + Policies (in all accounts)
S3 Bucket for artifacts + bucket policies (in CICD account)
Key Management Service -> Customer Managed Key + Policies to allow the target accounts
You can spot here an example architecture, which is applying that:
If it's possible for you, you might switch to the CDK Pipelines.
In this guide, also the bootstrapping (incl. trusting) is being applied and every step/resource mentioned from above is being created and properly configured.
It has a few drawbacks as of now, but it's in developer preview and has a quite decent usability and makes your life a lot easier already.
I have a AWS account created under an Organization. Say Account ID : 12345. It is a parent account. Now i have new Role created, Say Account ID : 67890. I have switched my role from parent account to the new one. But when i execute the cloud formation template from AWS cli. It is still trying to create env in my parent account (i.e,12345) instead of the new account.
My question is - How can i execute/create env using CFT from AWS Cli in my new account (ie, 67890) ? or is there a way to specify Account id in which the env should be created ?
You most likely forgot to configure your AWS CLI to use credentials from the linked account. You may create a new profile and specify it when you run the CLI command. Example:
aws configure --profile=account2
aws --profile=account2 cloudformation create-stack ...
If you are unable to setup an IAM credential on Account2, you may try to setup CLI to use the cross-account role you already have. You'll need to manually add the following block to your ~/.aws/config file:
[profile account2]
role_arn = arn:aws:iam::123456789012:role/account2role
source_profile = account1
Replace 123456789012 and account2role with their corresponding values.
I am trying to access a Cognito user pool from a different AWS account using the CLI. I can do this just fine from API Gateway where the user pool is setup as an authorizer, but from the CLI it just says this user pool does not exist. Is there a way to tell the CLI to look for the user pool in a different account than the one I am in? I can do this if I switch roles, however I would prefer to avoid that.
Instead of switching roles, you can specify a profile (https://docs.aws.amazon.com/cli/latest/userguide/cli-multiple-profiles.html).
For example, in ~/.aws/config you might have:
[profile another]
role_arn = arn:aws:iam::account:role/OrganizationAccountAccessRole
source_profile = default
(n.b. your role_arn should be whatever your cross-account role arn actually is)
Then you can use the --profile argument in the cli to adopt another role without affecting further commands &c.
For example:
aws cognito-idp initiate-auth --client-id=$CLIENT_ID --auth-flow='USER_PASSWORD_AUTH' --profile=another --region=eu-west-2 --auth-parameters USERNAME='me#example.com',PASSWORD='password'
I have an ec2 instance configured with an IAM Role to read S3 in its own account. I configured a cross account role in another AWS account that has rights to create S3 buckets. I then gave the role that the ec2 instance is assigned access to the use the cross account role.
When I try to create the s3 bucket, it tries to create it in it's own account. How do I tell the aws cli to create the bucket in the other account?
Refer cross account python script https://blogs.aws.amazon.com/security/post/Tx70F69I9G8TYG/How-to-enable-cross-account-access-to-the-AWS-Management-Console
When you run it you will automatically redirect to cross account AWS Console...and if you don't want to run python script..login through switch role option.
Through cli you must have to run sts command...for example aws sts assume-role --role-arn crossSccountRoleARN --role-session-name "DemoRoleSession" > /tmp/assume-role-output.txt