Menu
I have two AWS account - lets say A and B.
In account B, I have a role defined that allow access to another role from account A. Lets call it Role-B
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::********:role/RoleA" }, "Action": "sts:AssumeRole" }] } In account A, I have defined a role that allows the root user to assume role. Lets call it Role-A
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::********:root" }, "Action": "sts:AssumeRole" }] } Role A has the following policy attached to it
{ "Version": "2012-10-17", "Statement": [ { "Action": "sts:AssumeRole", "Resource": "arn:aws:iam::****:role/RoleB", "Effect": "Allow" }] } As a user in account A, I assumed the Role-A. Now using this temporary credential, I want to assume the Role-B and access the resource owned by account B. I have the below code
client = boto3.client('sts') firewall_role_object = client.assume_role( RoleArn=INTERMEDIARY_IAM_ROLE_ARN, RoleSessionName=str("default"), DurationSeconds=3600) firewall_credentials = firewall_role_object['Credentials'] firewall_client = boto3.client( 'sts', aws_access_key_id=firewall_credentials['AccessKeyId'], aws_secret_access_key=firewall_credentials['SecretAccessKey'], aws_session_token=firewall_credentials['SessionToken'], ) optimizely_role_object = firewall_client.assume_role( RoleArn=CUSTOMER_IAM_ROLE_ARN, RoleSessionName=str("default"), DurationSeconds=3600) print(optimizely_role_object['Credentials']) This code works for the set of roles I got from my client but is not working for the roles I defined between two of the AWS account I have access to.
594
Create the IAM role and attach the policy Because this IAM role is assumed by an IAM user, you must specify a principal that allows IAM users to assume that role. For example, a principal similar to arn:aws:iam::123456789012:root allows all IAM identities of the account to assume that role.
Users in the same account as the role do not need explicit permission to assume the role. For more information about trust policies and resource-based policies, see IAM Policies in the IAM User Guide. Of course, once you have created a role that you are capable of assuming, you need to actually "Assume" that role.
Thus, while you can assume multiple roles at the same time, each of those actions has a separate set of associated credentials, so it won't allow you to make requests that require you to have the permissions of more than one role for any given request.
To allow an IAM Role to assume another Role, we need to modify the trust relationship of the role that is to be assumed. This process varies depending if the roles exist within the same account or if they're in separate accounts.
Finally got this working. The above configuration is correct. There was a spelling mistake in the policy.
I will keep this question here for it may help someone who want to achieve double hop authentication using roles.
54
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
