AWS Cross-Account Connectivity Implementation
The multi AWS Cloud Accounts and cross-account connectivity become common scenarios for most customers. Often several Junior Cloud Engineers struggle to understand and configure the cross-account communication using the AssumeRole Concept.
So I thought of writing a document that explains the cross-account communication between two AWS Accounts and required configurations on both the Accounts. This blog post is for the newbies or junior cloud engineers.
UseCase Scenario:
There are several use cases for Cross-Account communication. But I will take one use-case to explain the solution.
An EC2 Instance in OperationsAWSAccount wants to communicate with Lambda, RDS, and ECS Services to create/manage the resources in another AWS Account called ProductionAWSAccount
See the diagram for the above Use Case:
We can achieve the above use case using the AWS IAM Role & AssumeRole Concept.
Implementing the Solution:
Create an IAM Role in ProductionAccount that has a trust relationship with the OperationsAccount & associate AWS Managed IAM Full Access Policies of the Lambda, RDS, and ECS Services
Login to Production AWS Account → IAM → Roles — CreateRole → Select type of trusted entity → Another AWS Account — Enter the OperationsAccount ID — Name it as — rds-lambda-ecs-role
Create an IAM Role in OperationsAccount that has a trust relationship with the EC2 Service
Login to Operations AWS Account → IAM → Roles — CreateRole → Select type of trusted entity → AWS Service — EC2 — Create an IAM Role — Name it as — ProductionAssumeEC2Role
Create an AssumeRole IAM Policy in OperationsAccount, and associate with the above IAM Role. The Resource in the below policy is an IAM Role ARN of the ProductionAccount
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "sts:assumerole",
"Resource": "arn:aws:iam::<ProductionAccountID>:role/rds-lambda-ecs-role"
}
]
}Attach the ProductionAssumeEC2Role to the EC2 Instance in the OperationsAWSAccount
Login to ProductionAccount(AWS), and edit the rds-lambda-ecs-role, Edit Trust Relationship and update the Principal AWS Section with an OperationsAccount EC2 IAM Role ARN
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<OperationsAccountID>:role/ProductionAssumeEC2Role"
},
"Action": "sts:AssumeRole"
}
]
}Testing the AssumeRole & Connectivity
Login to the EC2 Instance in OperationsAccount(AWS) via SSH or EC2 SSM Session Manager to get a Shell Prompt:
You can test this using two different approaches:
Use AWS STS Assume Role Command to generate the ProductionAccount Credentials
aws sts assume-role — role-arn arn:aws:iam::<ProductionAccountID>:role//rds-lambda-ecs-role — role-session-name test — region <your aws region>It gives you an AWS Access Key, Secret Key, Session Token — Export them into AWS SHELL Variables. You can perform your operations to create/manage the resources of the Production Account.
Use AWS Config Profile, and refer to the ProductionAccount IAM Role & Source_Profile as EC2InstnaceMetadata, inturn it uses the EC2 Instance IAM Role to assume the ProductionAccount Role.
Example AWS Config Profile:
[profile prod-cross-role]
role_arn = arn:aws:iam::<ProductionAccountID>:role/ProductionAssumeEC2Role
credential_source = Ec2InstanceMetadata