Configuring cross-account access

To allow another identity from another AWS account to access your resources with your account, you need to configure a role to grant the access required.

Imagine we have two AWS accounts—account A (the trusting account) and account B (the trusted account). User Stuart using account B needs to have access to your Relational Database Service (RDS) database in account A:

To configure this access, we need a new cross-account access role, which will need to be configured as follows.

Creating a cross-account access role

Execute the following steps to create a cross-account access role:

1. From the trusting account (in our example, this is account A), open IAM from the AWS management console.
2. Select Roles from the menu, and then select Create Role.
3. Select Another AWS account as the trusted identity.
4. You must then enter the trusted AWS account ID; in this case, this is the ID for account B:

1. Click on Next: Permissions.
2. We can now add the permissions we want the role to have. I have selected AmazonRDSFullAccess, as shown:

1. Once the permissions have been selected, select Next: Tags.
2. For this demonstration, we don’t need to add any tags, so click on Next: Review.
3. Add a role name—we will call it CrossAccountRDS—and then click Create Role:

1. Select the CrossAccountRDS role in the list of roles that displays additional information about the role. From here, select the Trust relationships tab:

1. You can see that the account that we listed is under Trusted entities. However, we need to narrow this access down to a specific user (Stuart) within that account, ensuring that only Stuart can assume the role. To do this, select Edit Trust Relationship.
2. This will open up a policy editor that will allow us to directly edit the JSON policy. We now need to change the Principal line from "AWS": "arn:aws:iam::356903128354:root" to "AWS": "arn:aws:iam::356903128354:user/Stuart". 
3. This ensures that the only principal that can assume the role is user Stuart within the 356903128354 AWS account:

Now that we have configured a cross-account role and associated the trust relationship between two different accounts, we need to create a policy to allow an identity to assume this role.  

Creating a policy to assume the cross-account role

For Stuart to assume this role via the AWS management console, he also needs the required permissions to allow him to assume the role. Again, a policy is required to enable the user to do that, and it looks as follows:

{
 "Version": "2012-10-17",
 "Statement": {
   "Effect": "Allow",
   "Action": "sts:AssumeRole",
   "Resource": "arn:aws:iam::730739171055:role/CrossAccountRDS"
 }
}

This role uses an Action parameter, which uses the Secure Token Service (STS) permission of AssumeRole against the resource in the trusting account. You can also use, for example, wildcards in the ARN of Resource. If you wanted Stuart to assume any role in the trusting account, you could use * as a wildcard, which would then look as follows:

"Resource": "arn:aws:iam::730739171055:role/*"

Now, the cross-account role has been created, and a policy that allows user Stuart to assume that role. So, the last step in this process is to assume that role to gain the temporary permissions that are granted in the new role.

Assuming the cross-account role

Now that I have assigned this policy allowing Stuart to assume the specific role, he can perform the following steps to assume the CrossAccountRDS role:

1. From within the trusted account, Stuart can select the drop-down list in the top-right corner that shows the AWS account.
2. Select Switch Role, as in the following screenshot:

1. Enter the AWS account number of the trusting account (account A), which is where the role exists.
2. Enter the name of the role, CrossAccountRDS, and click Switch Role.
3. To show you that the role has been assumed, the drop-down list from which you selected Switch Role initially will have changed to something similar to what is shown in the following screenshot, displaying the role name and which account it exists in:

In this section, we looked at how to create, configure, and assume a temporary set of credentials in the form of a cross-account access role. By assuming roles, it allows us to access resources in a different account without having to have an additional IAM user created within that account.