Cross-account access on AWS

Need a no-frills guide on cross-account access on AWS? Here it is!

Scenario

A user in AWS Account A wants to write on an S3 bucket on Account B.

Required permissions:

  1. The user in Account A should be able to assume a role on the Account B
  2. Trust must be configured between the Account B and Account A.

How to

In the following example: Account A has id 111111111111, Account B has id 222222222222.

  1. In Account A, allow the IAM user to assume role on Account B.

    {
        "Version": "2012-10-17",
        "Statement": {
            "Effect": "Allow",
            "Action": "sts:AssumeRole",
            "Resource": "arn:aws:iam::222222222222:role/role-in-accountb"
        }
    }
    
  2. In Account B, grant access to the S3 bucket to a new role (e.g.: role-in-accountb).

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "s3:GetObject",
                    "s3:PutObject",
                    "s3:PutObjectAcl"
                ],
                "Resource": "arn:aws:s3:::222222222222/cross-account-bucket"
    
            }
        ]
    }
    
  3. In Account B, associate a trust relationship to allow users in Account A to assume the role.

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Principal": {
            "AWS": "arn:aws:iam::111111111111:root"
          },
          "Action": "sts:AssumeRole"
        }
      ]
    }
    

IAM configuration can be done via AWS web console ,

Testing

Role switch can be tested in thw AWS console via the following url.

https://signin.aws.amazon.com/switchrole?roleName=role-in-accountb&account=accountb

Do not forget to put the actual role name and account id in the query string. 😉

Role switching via AWS cli

Assume a role via AWS CLI is also very easy. Tweak your .aws/credentials configuration as in the following example.

[accounta]
aws_access_key_id=...
aws_secret_access_key=...

[roleb]
role_arn = arn:aws:iam::222222222222:role/role-in-accountb
source_profile = accounta   

Then use the new credentials as usual.

❯ aws s3 cp test.txt s3://cross-account-bucket  --profile roleb