-
Create User (User1A) in Account-A
- Get
AWS_ACCESS_KEY_IDandAWS_SECRET_ACCESS_KEY
- Get
-
Create Group in Account-A
-
Create Role (MyRoleB) in Account-B with Permissions you want user to have:
# Example Bucket permissions { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:*" ], "Resource": [ "arn:aws:s3:::{yourbucketname}", "arn:aws:s3:::{yourbucketname}/*" ] } ] }
3.1 Add The following as the Trust Relationship for the Role in Account-B:
> NOTE: When using a group policy setting the *user* as the principal won't work.
> Also, it seems that we're unable to assign a *group* as the principal as of 2019-09
> See:
> https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::{ACCOUNT-A}:root"
},
"Action": "sts:AssumeRole",
"Condition": {}
}
]
}
```
-
Create Policy for group in Account-A allowing AssumeRole for defined Role (MyRoleB) in Account-B:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "123", "Effect": "Allow", "Action": [ "sts:AssumeRole" ], "Resource": [ "arn:aws:iam::{Account-B}:role/MyRoleB" ] } ] } -
Create the awscli/boto3 config and profile for the created user (User1A):
~/.aws/config
[default] region = ap-northeast-1 output = json [profile myprofile] role_arn = arn:aws:iam::{Account-B}:role/SpecBucketDeploymentRole region = ap-northeast-1 source_profile = default~/.aws/credentials
[default] aws_access_key_id = {User1A AWS_ACCESS_KEY_ID} aws_secret_access_key = {User1A AWS_SECRET_ACCESS_KEY} -
Test the resource you want access to allow access to via your role:
# if it's an s3 bucket aws s3 ls s3://{yourbucketname}This command should succeed~