DVA_EN

Delegate access rights between AWS accounts using cross-account roles

スポンサーリンク
Delegate access rights across AWS accounts using IAM roles. DVA_EN
スポンサーリンク
スポンサーリンク

Delegate access privileges between AWS accounts using cross-account roles

Accessing a specific AWS resource from another AWS account is called cross-account access.

You share resources in one account with users in a different account. By setting up cross-account access in this way, you don’t have to create individual IAM users in each account.

IAM tutorial: Delegate access across AWS accounts using IAM roles

This page will review the cross-account access procedures with reference to the following page.

IAM tutorial: Delegate access across AWS accounts using IAM roles - AWS Identity and Access Management
Learn the steps for delegating API access in your AWS account to an AWS Identity and Access Management (IAM) user in another account. (First of four).

Environment

Diagram of delegate access rights across AWS accounts using IAM roles.

Two AWS accounts will be used.

The first account will create two resources.

The first will create parameters in the SSM parameter store.
The second creates an IAM role.
This IAM role has permissions to access the SSM parameter store as described above.

The second account assumes this IAM role.
After assuming the role, verify that the SSM parameter store is accessible.

CloudFormation template files

The above configuration is built using CloudFormation.
We have placed the CloudFormation templatse at the following URL

https://github.com/awstut-an-r/awstut-dva/tree/main/02/002

Explanation of key points of the template files

(Reference) SSM Parameter Store

Resources:
  Parameter:
    Type: AWS::SSM::Parameter
    Properties:
      Name: !Sub "${Prefix}-Parameter"
      Type: String
      Value: Test Parameter
Code language: YAML (yaml)

Create an SSM parameter as a resource for verification.
No special configuration is required.

IAM Role

Resources:
  SSMParameterRole:
    Type: AWS::IAM::Role
    DeletionPolicy: Delete
    Properties:
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Action: sts:AssumeRole
            Principal:
              AWS: !Ref CrossAccountId
      Policies:
        - PolicyName: !Sub "${Prefix}-GetParameterPolicy"
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Effect: Allow
                Action:
                  - ssm:DescribeParameters
                Resource: "*"
              - Effect: Allow
                Action:
                  - ssm:GetParameter
                Resource:
                  - !Sub "arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/${Parameter}"
Code language: YAML (yaml)

The key point is the trust policy.
The Principal property specifies the ID of the account with cross account access.

The inline policy defines access privileges to the SSM parameter store.
The following page was used as a reference to set this up.

Restricting access to Systems Manager parameters using IAM policies - AWS Systems Manager
Restrict access to Systems Manager parameters by using IAM policies.

Architecting

Use CloudFormation to build this environment and check the actual behavior.

Create CloudFormation stacks and check resources in stacks

Create CloudFormation stacks.
For information on how to create stacks and check each stack, please refer to the following page

After checking the resources in each stack, information on the main resources created this time is as follows

  • SSM Parameter: dva-02-002-Parameter
  • IAM role: dva-02-002-IAMStack-3A259XLV4A28-SSMParameterRole-1E0267AH90Z9O

Check each resource from the AWS Management Console.

Check the SSM parameters.

Detail of SSM 1.

Parameters are indeed created.

Check the IAM role.

Detail of IAM 1.
Detail of IAM 2.

Looking at the permissions, we see that permissions are set to access the SSM parameters mentioned above.

Looking at the trust relationship, the ID of the account with cross account access (the root user of the account) is set as the principal.

Checking Action

Now that everything is ready, we can perform cross-account access.

Open the management console of the account to be cross accessed and click “Switch role”.

Detail of IAM 3.

Enter the information of the role to be assumed and click “Switch Role”.

Detail of IAM 4.

If the role is successfully assumed, the role will be displayed in the upper right corner.

Detail of IAM 5.

Open the EC2 page as a test.

Detail of IAM 6.

Errors are displayed in all fields.
This is because the currently assumed role does not allow permissions on EC2.

Check the SSM parameter store again.

Detail of SSM 2.

The parameters we just checked are now displayed.

Check the details.

Detail of SSM 3.

You can also check the value of the parameter.

By assuming a cross-account role in this way, you can access the resources of another account.

Summary

We have seen how to delegate access privileges between AWS accounts using cross-account roles.

タイトルとURLをコピーしました