Day 7- Delegate Access Across AWS Accounts Using IAM Roles
Cross account access is used to share resources in different AWS accounts i.e User in Account B(Developer) should have Read-Only Access to S3 Bucket in Account A(Production).
Advantage
- We don’t need to set up individual IAM user in each account
- The user doesn’t need to sign out of one account and sign into another account to access resources.
Pre-requisites
- You need two AWS accounts(Account A(PROD)) and Account B(Developer))
- An AWS S3 bucket was created in Production Account A.
Create an IAM Role in Account A(This is to establish the trust between the two accounts)
- Go to IAM console https://console.aws.amazon.com/iam/home?region=us-west-2#/home
- Click on Roles, Create role
- This time, select Another AWS account and enter Account ID of Account B
- In next screen click choose S3ReadOnlyPolicy
- Click Next and give your Role name and click on Create role at the bottom of the screen
- Note down the Role ARN, we need it later
Grant Access to the role(This will allow users in Account B permissions to allow switching to the role)
- Go to the Role we have just created
- Click on Trust relationships → Edit trust relationships
- As you can see only root user has access to AssumeRole, change it with the arn of the user you want to assume this role(arn:aws:iam::XXXX:user/plakhera) and click on Update policy
- Test access by Switching the role
- Again go back to the Account Tab but this time click on Switch Role
- Fill all the details
- Account: This is Prod/Account A ID
* Role: Role we created in Step1: S3ReadOnlyAccesstoDevAccount(Dont give full arn here just the Role name)
* Display Name: Any display name
* Switch Role
NOTE: You cannot switch to a role when you are signed in as the AWS account root user.
- Now go to S3 console and try to access S3 bucket which is present in Account A.
Looking forward to you guys joining this journey and spending a minimum of an hour every day for the next 100 days on AWS work and posting your progress.