See doc for details:
http://docs.aws.amazon.com/
(only comment is use export ENVIRONMENT_VAR instead of set)
IAM Role on target account:
Create cross account policy, take note of role arn (arn:aws:iam::123456789012:
IAM User profile on account that will use role:
1. aws configure to configure user keys
2. aws sts assume-role --role-arn "arn:aws:iam::123456789012:role/cross-account-Prod" --role-session-name "Zoran-ProdAcct"
3. set environment variables:
Can also use instance role rather than user profile, in that case:
1. no need for aws configure (as there is no user associated with profile)
2. steps 2-3 above
For S3 bucket cross accounts access:
S3 policy on target account:
http://docs.aws.amazon.com/
(only comment is use export ENVIRONMENT_VAR instead of set)
IAM Role on target account:
Create cross account policy, take note of role arn (arn:aws:iam::123456789012:
IAM User profile on account that will use role:
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::123456789012:
On Linux instance for the following:1. aws configure to configure user keys
2. aws sts assume-role --role-arn "arn:aws:iam::123456789012:role/cross-account-Prod" --role-session-name "Zoran-ProdAcct"
3. set environment variables:
TOKEN=/tmp/sts.$$
unset AWS_ACCESS_KEY_ID
unset AWS_SECRET_ACCESS_KEY
unset AWS_SESSION_TOKEN
aws sts assume-role --role-arn "arn:aws:iam::123456789012:role/cross-account-Prod" --role-session-name "ZG-ProdAcct" > $TOKEN
export AWS_ACCESS_KEY_ID=$(grep AccessKeyId $TOKEN | cut -d'"' -f4)
export AWS_SECRET_ACCESS_KEY=$(grep SecretAccessKey $TOKEN | cut -d'"' -f4)
export AWS_SESSION_TOKEN=$(grep SessionToken $TOKEN | cut -d'"' -f4)
Can also use instance role rather than user profile, in that case:
1. no need for aws configure (as there is no user associated with profile)
2. steps 2-3 above
S3 policy on target account:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "whatever",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123123123123123:
},
"Action": [
"s3:ListBucket",
"s3:GetObject",
"s3:GetBucketLocation"
],
"Resource": [
"arn:aws:s3:::zoranbucket",
"arn:aws:s3:::zoranbucket/*
]
}
]
}
IAM User profile on account that will use role:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "whateveryoulike",
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::zoranbucket",
"arn:aws:s3:::zoranbucket/*
No comments:
Post a Comment