Saturday, 9 September 2023

Tutorial to provide cross account access using IAM role

 Tutorial to provide cross account access using IAM role


Objectives:

Learn to create an IAM Role to provide cross account access to S3 Bucket


Prerequisites:

· 2 AWS Accounts: Account A (Production) and Account B (Development)

· Account A with a user having administrative permissions.


Login to Account A (Production) as an admin user and perform step 1 & 2.


Step 1: In AWS Management Console, go to IAM service console.

In the side panel, click on Roles under Access management.

Click on Create Role.

For Select Trusted Entity, under trusted entity type, select the AWS account.

Scroll down, and select Another AWS account radio button. Enter the Account ID number of the account that you want to delegate access to.

Leave the other options unselected. Go to next step.

Under Add Permissions, search and select AmazonS3ReadOnlyAccess. Proceed to next step.

In the next step mention suitable role name and description.

Role name: CrossAccountRoleS3

Description: A Role to delegate S3 access to another AWS account

Go through the details. Scroll down and click on Create Role.

Confirm the role is created. Click on the role.

In the next screen, copy the Link to switch roles in console. Store it for further use.


Also, copy the role ARN and store it for further use.


Step 2: Go to S3 console and create a bucket as follows.

Add an object or image.

This bucket will be required for further cross referencing.


Login as the admin user of Account B (Development) and perform the steps 3, 4, 5 & 6.


Step 3: Create a custom policy


In IAM, on the left pane, click on Policies and click on Create Policy.

Under JSON, paste the following policy by replacing the role ARN from Account A.

Code Snippet:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
           "Action": "sts:AssumeRole",
           "Resource": "arn:aws:iam::PRODUCTION-ACCOUNT-ID:role"
        }
    ]
}

Click on Next:Tags, Next:Review.

Enter the name of the policy as CrossAccountPolicy.

Provide the description as Policy for Cross Account Access. Create the Policy.


Step 4: We will create a user.

In AWS Management Console, go to IAM service console.

In the side panel, click on Users under Access management.

Under Set user details give suitable name.

User name: EC2UserForCrossAccount

Check the Password – AWS Management Console access checkbox.

Select the Custom password radio button. Provide a password of your choice.

Uncheck Require password reset.

Continue to Next: permissions.

Select Attach existing policies directly.

Search and select AmazonEC2FullAccess policy and the created CrossAccountPolicy.

Proceed to last Review step. Review and Create user(EC2UserForCrossAccount).


Log out and log back in as the created user.


Step 5: Share the switch role link stored previously with the owner of Account B.

Once the link is clicked, it will open a new tab in his browser window.

Ideally the first two text boxes of Account and Role should be auto filled.

Enter a suitable Display Name. Select Colour.

Click on Switch Role.

You will be welcomed to AWS Console. Here the user EC2UserForCrossAccount of Account B has assumed the role of CrossAccountRoleS3.

Thus, although restricted to EC2 Full Access, he now has S3 Read permissions.


Step 6: To confirm this, you may go to S3 console. The bucket created in Account A will be visible to this user.

Thus we have successfully established cross account access.


Note: If you no longer need these resources, empty and delete the bucket in Account A. Log out of Account B user and you may as well delete the user.