Wednesday, 12 October 2016

AWS cross account IAM privileges

Allow EC2 role on account 111111111111 to have read only privileges on account 222222222222:

On account trusting AWS account 222222222222:
1. Create new IAM policy:
aws iam create-policy --policy-name readonly-policy --policy-document file://policy.json
policy.json file:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "FullPolicy",
            "Action": [
                "autoscaling:Describe*",
                "cloudformation:DescribeStacks",
                "cloudformation:GetStackPolicy",
                "cloudformation:GetTemplate",
                "cloudformation:ListStackResources",
                "cloudfront:List*",
                "cloudfront:GetDistributionConfig",
                "cloudfront:GetStreamingDistributionConfig",
                "cloudhsm:Describe*",
                "cloudhsm:List*",
                "cloudsearch:Describe*",
                "cloudtrail:GetTrailStatus",
                "cloudwatch:GetMetricStatistics",
                "cloudwatch:ListMetrics",
                "config:Describe*",
                "datapipeline:ListPipelines",
                "datapipeline:GetPipelineDefinition",
                "datapipeline:Describe*",
                "dynamodb:ListTables",
                "dynamodb:DescribeTable",
                "ec2:Describe*",
                "ecs:ListClusters",
                "ecs:DescribeClusters",
                "ecs:ListContainerInstances",
                "ecs:DescribeContainerInstances",
                "ecs:ListServices",
                "ecs:DescribeServices",
                "ecs:ListTaskDefinitions",
                "ecs:DescribeTaskDefinition",
                "ecs:ListTasks",
                "ecs:DescribeTasks",
                "elasticache:Describe*",
                "elasticache:List*",
                "elasticloadbalancing:Describe*",
                "elasticmapreduce:List*",
                "glacier:List*",
                "glacier:DescribeVault",
                "glacier:GetVaultNotifications",
                "glacier:DescribeJob",
                "glacier:GetJobOutput",
                "iam:Get*",
                "iam:List*",
                "iam:GenerateCredentialReport",
                "kinesis:ListStreams",
                "kinesis:DescribeStream",
                "kinesis:GetShardIterator",
                "kinesis:GetRecords",
                "lambda:ListFunctions",
                "rds:Describe*",
                "rds:List*",
                "redshift:Describe*",
                "redshift:ViewQueriesInConsole",
                "route53:ListHealthChecks",
                "route53:ListHostedZones",
                "route53:ListResourceRecordSets",
                "s3:Get*",
                "s3:GetNotificationConfiguration",
                "s3:List*",
                "ses:ListIdentities",
                "ses:GetSendStatistics",
                "ses:GetIdentityDkimAttributes",
                "ses:GetIdentityVerificationAttributes",
                "ses:GetSendQuota",
                "sdb:ListDomains",
                "sdb:DomainMetadata",
                "support:*",
                "swf:ListClosedWorkflowExecutions",
                "swf:ListDomains",
                "swf:ListActivityTypes",
                "swf:ListWorkflowTypes",
                "sns:GetSnsTopic",
                "sns:GetTopicAttributes",
                "sns:GetSubscriptionAttributes",
                "sns:ListTopics",
                "sns:ListSubscriptionsByTopic",
                "sqs:ListQueues",
                "sqs:GetQueueAttributes",
                "workspaces:Describe*"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}

2. Create new cross account role:
aws iam create-role --role-name crossaccount-role --assume-role-policy-document file://trust.json
trust.json file:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::111111111111:root"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "12345"
        }
      }
    }
  ]
}

3. Attach previously create policy to role:
aws iam attach-role-policy --role-name crossaccount-role --policy-arn "arn:blahhhh........readonly-policy"



On trusted AWS account 111111111111:
1. Create new IAM policy:
aws iam create-policy --policy-name crossaccount-policy --policy-document file://policy.json
policy.json file:
{
    "Version": "2012-10-17",
    "Statement": {
        "Effect": "Allow",
        "Action": "sts:AssumeRole",
        "Resource": "arn:aws:iam::222222222222:role/crossaccount-readonly"
    }
}


2. Create new IAM EC2 instance role:
aws iam create-role --role-name crossaccount-ec2role --assume-role-policy-document file://trust.json
trust.json file:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "ec2.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}


3. Attach previously create policy to role:
aws iam attach-role-policy --role-name crossaccount-ec2role --policy-arn "arn:blahhhh........crossaccount-policy"



On EC2 instance with IAM role:
assumerole ()
{
TOKEN=/dev/shm/tmp.$acct
unset AWS_ACCESS_KEY_ID
unset AWS_SECRET_ACCESS_KEY
unset AWS_SESSION_TOKEN
aws sts assume-role --role-arn "arn:aws:iam::$acctnum:role/$role"  --role-session-name "$acct" --external-id $accteid > $TOKEN
export AWS_ACCESS_KEY_ID=$(grep AccessKeyId $TOKEN | cut -d'"' -f4)
export AWS_SECRET_ACCESS_KEY=$(grep SecretAccessKey $TOKEN | cut -d'"' -f4)
export AWS_SESSION_TOKEN=$(grep SessionToken $TOKEN | cut -d'"' -f4)
rm $TOKEN
}


acct=trusting-account
acctnum=222222222222
accteid=12345
role=crossaccount-readonly
assumerole


Or even easier:
The CLI config file on linux is usually in ~/.aws/config
[profile trusting-account] region = us-east-1 
role_arn = arn:aws:iam::222222222222:role/crossaccount-readonly
external_id = 12345
source_profile = default  
at

No comments:

Post a Comment