EC2 instance with a cross account IAM role
You cannot attach a cross-account IAM role to an EC2 instance directly. And having the sts:AssumeRole permissions does not automatically make the one role assume into the other.
Instead:
- Create your cross-account role in Account A.
- Create an IAM role for EC2 instances in Account B. Give this role permissions to execute
sts:AssumeRole. - Assign the IAM role from #2 to your EC2 instance.
Then, when you want to access the AWS API from your EC2 instance:
- Execute
sts:AssumeRoleto assume the cross-account role for Account A, to obtain temporary credentials. - Use those temporary credentials to execute the rest of your API methods.
Supposing the scenario with two accounts A & B the explanatory steps should be:
- In account A, I created a role (e.g
RoleForB) to trust account B, and attach to the before created role a IAM policy to allow it to perform some read operations in account A.e.g ReadOnlyAccess - In account B, I created a role (e.g
AssumeRoleInA) and attach a policy to allow it to assume the role that is created in account A. - In account B Associate to your EC2 instance
ec2-profilethe IAM role (AssumeRoleInA) created in step 2. - In account B login into this EC2 instance to assume the role in Account A using the command
aws sts assume-role --role-arn "arn:aws:iam::Account_A_ID:role/RoleForB" --role-session-name "EC2FromB". - In account B EC2 terminal when the command is step 4. finished, you can see the access key ID, secret access key, and session token from wherever you've routed it, in our case
stdouteither manually or by using a script. You can then assign these values to environment variables (AWS_ACCESS_KEY_ID,AWS_SECRET_ACCESS_KEY,AWS_SESSION_TOKEN)
So Let’s check the configurations mentioned above step by step but with some mode detail:
- As before presented in account A, it builds the trust to account B by creating the role named
RoleForBand attachingReadOnlyAccesspermission to it.
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Principal": {"AWS": "arn:aws:iam::Account_B_ID:root"},
"Action": "sts:AssumeRole"
}
}
- In account B, create a role named
AssumeRoleInAthen attach the correspondingpolicyto allow it to assume the role namedRoleForBin account A.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": [
"arn:aws:iam::Account_A_ID:role/RoleForB"
]
}
]
}
- In account B, create a new EC2 instance (if it does not exists yet), and associate it's ec2-profile with the IAM role named
AssumeRoleInA.
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Principal": {"Service": "ec2.amazonaws.com"},
"Action": "sts:AssumeRole"
}
}
- In account B login into this EC2 instance to assume the role in Account A using the command:
aws sts assume-role --role-arn "arn:aws:iam::Account_A_ID:role/RoleForB" --role-session-name "EC2FromB"`
eg:
jenkins@bb-jenkins-vault:~$ aws sts assume-role --role-arn arn:aws:iam::521111111144:role/DeployMaster --role-session-name "project-dev-jenkins-deploy"
{
"AssumedRoleUser": {
"AssumedRoleId": "AROAJBXGEHOQBXGEHOQ:project-dev-jenkins-deploy",
"Arn": "arn:aws:sts::521111111144:assumed-role/DeployMaster/project-dev-jenkins-deploy"
},
"Credentials": {
"SecretAccessKey": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY",
"SessionToken": "FQoGZXIvYXCUm8iG6/zLdQ7foognvCDpxKP7cRJiZgc...CUm8iG6/zLdQ7foognvCDpxKP7c+OQF",
"Expiration": "2019-03-29T15:41:02Z",
"AccessKeyId": "AKIAI44QH8DHBEXAMPLE"
}
}
- In account B EC2 terminal when the command is step 4. finished, you can see the access key ID, secret access key, and session token from wherever you've routed it, in our case
stdouteither manually or by using a script. You can then assign these values to environment variables
$ export AWS_ACCESS_KEY_ID=AKIAI44QH8DHBEXAMPLE
$ export AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
$ export AWS_SESSION_TOKEN=FQoGZXIvYXCUm8iG6/zLdQ...<remainder of security token>
$ aws ec2 describe-instances --region us-east-1
complementary reading: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html