100 Days of AWS — Day 7— Delegate Access Across AWS Accounts Using IAM Roles
To view the complete course, please enroll it using the below link(it’s free)
https://www.101daysofdevops.com/courses/100-days-of-aws/
Welcome to Day 7 of 100 Days of AWS. The topic for today is Delegate Access Across AWS Accounts Using IAM Roles.
Cross account access is used to share resources in different AWS accounts i.e User in Account B(Developer) should have Read-Only Access to S3 Bucket in Account A(Production).
Advantage
- We don’t need to set up individual IAM user in each account
- The user doesn’t need to sign out of one account and sign into another account to access resources.
Pre-requisites
- You need two AWS accounts(Account A(PROD)) and Account B(Developer))
- An AWS S3 bucket was created in Production Account A.
Create an IAM Role in Account A(This is to establish the trust between the two accounts)
- Go to IAM console https://console.aws.amazon.com/iam/home?region=us-west-2#/home
- Click on Roles, Create role
- This time, select Another AWS account and enter Account ID of Account B
- In next screen click choose S3ReadOnlyPolicy
- Click Next and give your Role name and click on Create role at the bottom of the screen
- Note down the Role ARN, we need it later
Grant Access to the role(This will allow users in Account B permissions to allow switching to the role)
- Go to the Role we have just created
- Click on Trust relationships → Edit trust relationships
- As you can see only root user has access to AssumeRole, change it with the arn of the user you want to assume this role(arn:aws:iam::XXXX:user/plakhera) and click on Update policy
- Test access by Switching the role
- Again go back to the Account Tab but this time click on Switch Role
- Fill all the details
- Account: This is Prod/Account A ID
* Role: Role we created in Step1: S3ReadOnlyAccesstoDevAccount(Dont give full arn here just the Role name)
* Display Name: Any display name
* Switch Role
NOTE: You cannot switch to a role when you are signed in as the AWS account root user.
- Now go to S3 console and try to access S3 bucket which is present in Account A.
Looking forward to you guys joining this journey and spending a minimum of an hour every day for the next 100 days on AWS work and posting your progress.