I have an ec2 instance configured with an IAM Role to read S3 in its own account. I configured a cross account role in another AWS account that has rights to create S3 buckets. I then gave the role that the ec2 instance is assigned access to the use the cross account role.
When I try to create the s3 bucket, it tries to create it in it's own account. How do I tell the aws cli to create the bucket in the other account?
Refer cross account python script https://blogs.aws.amazon.com/security/post/Tx70F69I9G8TYG/How-to-enable-cross-account-access-to-the-AWS-Management-Console
When you run it you will automatically redirect to cross account AWS Console...and if you don't want to run python script..login through switch role option.
Through cli you must have to run sts command...for example aws sts assume-role --role-arn crossSccountRoleARN --role-session-name "DemoRoleSession" > /tmp/assume-role-output.txt
Related
So I have created an IAM user and added a permission to access S3 then I have created an EC2 instance and SSH'ed into the it.
After giving "aws s3 ls" command, the reply was
"Unable to locate credentials. You can configure credentials by running "aws configure".
so what's the difference between giving IAM credentials(Key and Key ID) using "aws configure" and editing the bucket policy to allow s3 access to my instance's public IP.
Even after editing the bucket policy(JSON) to allow S3 access to my instance's public IP why am I not able to access the s3 bucket unless I use "aws configure"(Key and Key ID)?
Please help! Thanks.
Since you are using EC2 you should really use EC2 Instance Profiles instead of running aws configure and hard-coding credentials in the file system.
As for the your question of S3 bucket policies versus IAM roles, here is the official documentation on that. They are two separate tools you would use in securing your AWS account.
As for your specific command that failed, note that the AWS CLI tool will always try to look for credentials by default. If you want it to skip looking for credentials you can pass the --no-sign-request argument.
However, if you were just running aws s3 ls then that was trying to list all the buckets in your account, which you would have to have IAM credentials for. Individual bucket policies would not be taken into account in that scenario.
If you were running aws s3 ls s3://bucketname then that may have worked as aws s3 ls s3://bucketname --no-sign-request.
When you create iam user so there are two parts
policies
roles
Policies are attached to user, like what all services user can pr can't access
roles are attached to application, what all access that application can have
So you have to permit ec2 to access S3
There are two ways for that
aws configure
attach role to ec2 instance
while 1 is tricky and legthy , 2 is easy
Go to ec2-instance-> Actions -> Security -> Modify IAM role -> then select role (ec2+s3 access role)
thats it , you can simply do aws s3 ls from ec2 instance
Need to access cross account EC2 describe/start instance API via AWS CLI without configuring access/secret keys in "aws configure".
Assuming that you have default credentials stored for an account (Let's call it dev) but you want to run EC2 describe/start instance API on an instance which is in another account(Let's call it prod) via this account without configuring your prod credentials.
To achieve this you will use an IAM role, which has the EC2:describeInstance access needed in your Prod account. An authenticated user in your Dev account will assume a privileged IAM role in the Prod account with an API call to STS:AssumeRole. This API call will return temporary security credentials that the Dev user’s AWS CLI will automatically use to access resources in the Prod account.
You can set the credentials temporary via environment variables. If you pack this is an bash script, they only last for the execution.
#!/bin/bash
export AWS_ACCESS_KEY_ID=***
export AWS_SECRET_ACCESS_KEY=***
export AWS_DEFAULT_REGION=eu-central-1
aws ec2 <your command>
If you are in a cli of an ec2, best way to do this is to use the IAM role attached to the instance which has permissions ec2:StartInstances and ec2:DescribeInstances for the target ec2.
I provision an ec2 instance with a specific role. I want to the change the assumed role later form the ec2 cli to gain crross-account access, do something, and then switch back to my original role. How can I achieve this?
I'd use the ~/.aws/config file with the additional profile added.
Assuming that RoleA is your Instance Profile Role,
RoleB is the RoleB is the role you want to assume
RoleA has sts:assumerole
Update your ~/.aws/config to look like the following
[profile roleb]
role_arn = arn:aws:iam::123412341234:role/RoleB
region=us-east-1
credential_source = Ec2InstanceMetadata
So when you want to run the role from the assumed role b you would
aws s3 --profile roleb ls
For more info
https://docs.aws.amazon.com/cli/latest/topic/config-vars.html
You would not switch to another role. Rather, you would request temporary credentials associated with another role, then use those new credentials to make API calls.
The steps would be:
Call aws sts assume-role --role-arn arn:aws:iam::nnn:role/your-role --role-session-name foo
Grab the temporary credentials that are returned. I would recommend storing them in the ~/.aws/credentials file by using aws configure --profile role2
Then make API call with that role, such as: aws s3 ls --profile role2
To use the original credentials, just leave off the --profile.
I want a aws master account, where i can manage other aws accounts/iam users. Is this achievable? I tried with AWS Organizations, but it does not applies for IAM users(Only account level). Please help
You could create a custom role in any account that you have, and the use aws-api to assume this role with an script.
For example, you create the role custom_role in everyaccount that you own.
Then you use aws sdk or cli to assume role
Configure role in credentials profile
[profile custom_role]
role_arn = arn:aws:iam::123456789012:role/custom_role
source_profile = default
Use aws api to create user in the other account
aws iam create-user --user-name user_test --profile custom_role
You could do the same thing through aws sdk (like boto3 in python). If you want to manage all accounts, you could develop some script that automate that work.
I am trying to work out the logic flow for an AWS CloudFormation template that will assume an IAM role that can pull files from a S3 bucket in another AWS account.
What I have so far is:
accountA has a roleA
roleA has policy that allows sts:AssumeRole for a role in accountB :arn:aws:iam::11122233444:role/AllowPullS3
accountB has role(AllowPullS3) with
policy allow:s3 listBucket + get,put,delete
trust relationship for accountA :Action:"sts:AssumeRole"
If I create an EC2 instance manually with the IAM:roleA and then use the CLI to get the assume-role credentials, I can then pull the files from the other account's S3 bucket as expected.
But what do I need to put where in my accountA CF template that will allow the EC2 instance to assume roleB and pull the file from the accountB S3 bucket as part of the formation?
I have tried following a lot of tutorials such as this cfn-iam:init tutorial but still can not fully grasp what goes where.
Thanks for your advice.
Art
It is not possible to tell CloudFormation to assume another role.
However, if you have a CLI script/command that works on the Amazon EC2 instance, then just pass that script as User Data. The script will run when your instance starts. User Data can be passed in your CloudFormation template, where the EC2 instance is defined.
See: Running Commands on Your Linux Instance at Launch