Menu
I've created a cross account IAM role in one of my accounts(say account A) and would like to attach that role to an ec2 instance in another account(account B).
I tried creating a new role in account B with sts:AssumeRole pointing to the role in A and attached it to an ec2 instance in B. Doesn't seem to be working.
How can the ec2 instance assume the cross account role in A?
287
You cannot attach a cross-account IAM role to an EC2 instance directly. And having the sts:AssumeRole permissions does not automatically make the one role assume into the other. Instead: Create your cross-account role in Account A.
A Cross-account IAM Role is used to define access to resources in a single account, but it isn't restricted to users in a single account. For example: The EC2 servers in your staging environment can safely get access to an S3 bucket in production by using a properly defined role to do so.
In Prod account, set up the Prod-Xacc-Access role which will be a cross-account role. Navigate to IAM > Roles and click on Create New Role. Select Another AWS account, and provide Account ID, and click on Next:Permissions. Enter the AWS account ID of the AWS account which can assume this role.
To attach an IAM role to an instanceOpen the Amazon EC2 console at https://console.aws.amazon.com/ec2/ . In the navigation pane, choose Instances. Select the instance, choose Actions, Security, Modify IAM role. Select the IAM role to attach to your instance, and choose Save.
You cannot attach a cross-account IAM role to an EC2 instance directly. And having the sts:AssumeRole permissions does not automatically make the one role assume into the other.
Instead:
sts:AssumeRole.Then, when you want to access the AWS API from your EC2 instance:
sts:AssumeRole to assume the cross-account role for Account A, to obtain temporary credentials.
162
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
