1. Answers
  2. Enabling Cross-account Resource Access With IAM Role Trust Relationships

Enabling Cross-Account Resource Access With IAM Role Trust Relationships

Introduction

In this guide, we will enable cross-account resource access between two AWS accounts using IAM role trust relationships. This setup is useful when you need to allow resources in one AWS account to access resources in another account securely.

Step-by-Step Explanation

Step 1: Create an IAM Role in the Target Account

First, we will create an IAM role in the target AWS account (Account B) that will be assumed by resources from the source AWS account (Account A).

  1. Define the IAM role with a trust policy that specifies Account A as a trusted entity.
  2. Attach the necessary permissions to the IAM role to allow access to the resources in Account B.

Step 2: Assume the IAM Role from the Source Account

Next, we will configure the resources in Account A to assume the IAM role created in Account B.

  1. Use the AWS SDK to assume the role and obtain temporary security credentials.
  2. Use the temporary credentials to access resources in Account B.

Step 3: Verify the Setup

Finally, we will verify that the resources in Account A can access the resources in Account B using the assumed role.

  1. Test the access by performing actions on the resources in Account B.
  2. Ensure that the actions are logged in CloudTrail for auditing purposes.

Conclusion

By following these steps, you can enable secure cross-account resource access using IAM role trust relationships. This setup ensures that only authorized resources can access the resources in the target account, enhancing security and control.

Full Code Example

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

// Target Account (Account B) IAM Role
const targetAccountRole = new aws.iam.Role("targetAccountRole", {
    assumeRolePolicy: JSON.stringify({
        Version: "2012-10-17",
        Statement: [
            {
                Effect: "Allow",
                Principal: {
                    AWS: "arn:aws:iam::<AccountA-ID>:root"
                },
                Action: "sts:AssumeRole"
            }
        ]
    })
});

// Attach a policy to the role to allow access to specific resources in Account B
const rolePolicy = new aws.iam.RolePolicy("rolePolicy", {
    role: targetAccountRole.id,
    policy: JSON.stringify({
        Version: "2012-10-17",
        Statement: [
            {
                Effect: "Allow",
                Action: [
                    "s3:ListBucket",
                    "s3:GetObject"
                ],
                Resource: [
                    "arn:aws:s3:::example-bucket",
                    "arn:aws:s3:::example-bucket/*"
                ]
            }
        ]
    })
});

// Outputs
export const roleArn = targetAccountRole.arn;
export const rolePolicyId = rolePolicy.id;

Deploy this code

Want to deploy this code? Sign up for a free Pulumi account to deploy in a few clicks.

Sign up

New to Pulumi?

Want to deploy this code? Sign up with Pulumi to deploy in a few clicks.

Sign up