Creating IAM assume-role relationship between two AWS accounts

In this post, I discuss step by step using AWS CLI how to create a trust relationship between a user in the Trusted account and a role in the Trusting account. The idea is, in the end, we will have the credentials of a user in the Trusted AWS account that can manage resources in the Trusting AWS account.

Note: If you work with AWS, IAM is a necessary concept, and I think time spent understanding that is rewarding. AWS docs are the best place to learn in detail about them. Here is the link to AWS Docs. I was particularly interested in AWS IAM Roles and found this note interesting.

So that we are all on the same page, here are some entities that we’ll be referring. Two AWS accounts -a trusted account and a trusting account, an IAM user created in the trusted account, a role created in the trusting account, an STS policy attached to the user in the trusted account, and an assume rule policy and a permissions policy attached to the role in the trusting account.

A role in AWS IAM is similar to an IAM user such that it has specific policies attached that determine the level of access to the resources listed in the policy. However, a role does not have an access key and secret key that an IAM user has. A role is assumed by an IAM user from the same account or from a different account with whom a trust relationship is set.

How does this work?
This concept involves two AWS accounts, and hence there is a list of actions to be performed on the trusting account and the trusted account. Before we delve deeper, let me differentiate between the two. A trusting account hosts the role to perform operations in the account. The trusted account hosts the user, which assumes the role in the trusting account.
42. Image-2
In 8 steps, I list how to setup the relationship using AWS CLI. Steps 1 to 4 are performed on the trusting account side and the rest on the trusted account side. And since we’re using the AWS CLI, ensure that we are logged into the correct account.

Step 1: Create a policy document JSON-file that has a Principal associated with the sts:AssumeRole action.
This policy states that any user that belongs to Principal can assume a role using this policy.
Here is the gist of that file.

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::$(TrustedAccountID):root"
},
"Action": "sts:AssumeRole",
"Condition": {}
}
]
}

I stored that file as assume-role-policy.json in a folder where I ran the rest of the AWS CLI commands.

Step 2: Create a role and associate the above policy document with that role.
The association implies that the role can now be assumed by any user that belongs to the Principal specified in the policy. The command to run is:
aws iam create-role --role-name "Assume-Role-1" --assume-role-policy-document file://assume-role-policy.json
The ARN of the role was included in the output I received. Please take note of that. It will be something like: "Arn": "arn:aws:iam::$(TrustingAccountID):role/Assume-Role-1"

Step 3: Create a policy from a policy document JSON-file that lists the kind of access and to which AWS resources.
Here is the JSON file of the policy which provides full access to S3.

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "*"
}
]
}

I saved the policy document as assume-role-policy.json and used the below command to create the policy from the above policy document.
aws iam create-policy --policy-name Custom-Policy-For-Role-1 --policy-document file://role-policy.json
The ARN of the policy was included in the output. Please take note of that. It will be like:"Arn": "arn:aws:iam::$(TrustingAccountID):policy/Custom-Policy-For-Role-1"

Step 4: Attach policy to role
Attach the policy created in step 3 to the role created in step 2. This implies that the role has (a) permissions to perform specific actions on particular AWS resources only and (b) can be assumed by a user from the trusted account. The command to run that is:
aws iam attach-role-policy --role-name "Assume-Role-1" --policy-arn "arn:aws:iam::$(TrustingAccountID):policy/Custom-Policy-For-Role-1"
There is no output if the association is successful.

Now switch to the trusted account on AWS CLI.

Step 5: Create a user in the account
I used the below command to create a user.
aws iam create-user --user-name "user-1"
The ARN of the user was included in the output. Please take note of that. It will be something like: `”Arn”: “arn:aws:iam::$(TrustedAccoutID):user/user-1″`

Step 6: Create an sts:AssumeRole action policy from a policy document
Create a policy from a policy document JSON-file that allows the sts:AssumeRole action on the role in the trusting account.
Here is the gist of that file.

{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"sts:AssumeRole"
],
"Effect": "Allow",
"Resource": "arn:aws:iam::$(TrustingAccountID):role/Assume-Role-1"
}
]
}

The command to run is:
aws iam create-policy --policy-name Custom-Assume-Role-Policy --policy-document file://assume-role-policy-trusted.json
The ARN of the policy was included in the output. Please take note of that. It will be like: "Arn": "arn:aws:iam::$(TrustedAccoutID):policy/Custom-Assume-Role-Policy"

Step 7: Attach policy to the user
Attach the policy created in step 6 to the user created in step 5. I used the below command to attach the policy with the user.
aws iam attach-user-policy --policy-arn "arn:aws:iam::$(TrustedAccountID):policy/Custom-Assume-Role-Policy" --user-name "user-1"
There is no output if the association is successful.

Step 8: Generate access and secret key for the user and store them securely.
I used the below command to generate access keys for the user.
aws iam create-access-key --user-name "user-1"
I received the output that contained the AccessKeyId and SecretAccessKey. Store these keys securely.

After following the above eight steps, I managed resources in the trusting account using the credentials of the user in the trusted account. I hope you found this note helpful, and let me know if there are any questions or suggestions.

One thought on “Creating IAM assume-role relationship between two AWS accounts

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s