Creating an IAM Role for Cross-Account Access
Introduction
In AWS, Identity and Access Management (IAM) roles are used to define permissions for entities that you trust. Cross-account access allows you to grant permissions to IAM roles in one AWS account to access resources in another AWS account. In this lesson, we will learn how to create an IAM role for cross-account access.
Prerequisites
Before we begin, make sure you have the following prerequisites:
- An AWS account with administrative access
- AWS Command Line Interface (CLI) installed and configured
- Basic knowledge of AWS CDK with Typescript
Creating an IAM Role for Cross-Account Access using AWS CDK with Typescript
Step 1: Install AWS CDK
If you haven’t already installed AWS CDK, you can do so by running the following command:
npm install -g aws-cdkStep 2: Set up a new AWS CDK project
Create a new directory for your project and initialize a new AWS CDK project:
mkdir cross-account-role
cd cross-account-role
cdk init app --language=typescriptStep 3: Define the IAM role in your CDK stack
Open the lib/cross-account-role-stack.ts file in your project directory and define the IAM role using the following code:
import * as cdk from '@aws-cdk/core';
import * as iam from '@aws-cdk/aws-iam';
export class CrossAccountRoleStack extends cdk.Stack {
constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
const role = new iam.Role(this, 'CrossAccountRole', {
assumedBy: new iam.AccountPrincipal('123456789012'), // Replace with the account ID of the trusted account
});
// Define permissions for the role
// Add statements to allow access to specific resources in the trusted account
}
}Step 4: Deploy the CDK stack
Deploy the CDK stack by running the following commands:
cdk bootstrap
cdk deployStep 5: Test the IAM role
After deploying the CDK stack, you can test the IAM role by assuming it using the AWS CLI:
aws sts assume-role --role-arn arn:aws:iam::123456789012:role/CrossAccountRole --role-session-name TestSessionCreating an IAM Role for Cross-Account Access using AWS CLI Commands
Step 1: Create a trust policy
Create a trust policy document in JSON format that specifies the trusted account ID and the permissions to be granted:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:root"
},
"Action": "sts:AssumeRole"
}
]
}Step 2: Create the IAM role
Create the IAM role using the trust policy document:
aws iam create-role --role-name CrossAccountRole --assume-role-policy-document file://trust-policy.jsonStep 3: Attach permissions to the IAM role
Attach permissions to the IAM role by adding policies to it:
aws iam attach-role-policy --role-name CrossAccountRole --policy-arn arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccessStep 4: Test the IAM role
Test the IAM role by assuming it using the AWS CLI:
aws sts assume-role --role-arn arn:aws:iam::123456789012:role/CrossAccountRole --role-session-name TestSessionConclusion
In this lesson, we learned how to create an IAM role for cross-account access in AWS. We covered the steps to set up the role using AWS CDK with Typescript and provided examples using AWS CLI commands. Key learnings from this lesson include understanding the concept of cross-account access, defining IAM roles with trust policies, and testing the roles using the AWS CLI. By following these steps, you can effectively manage permissions and access control across multiple AWS accounts.