In AWS, in order to access resources in other accounts without creating new users or handling passwords, you can use sts:AssumeRole.
Let’s say that you have some resources in AccountA (AWS Managed Prometheus for example) that you want to access from AccountB
Account A
In AccountA create a role account_a_role that has 2 types of policies:
- a
Trust Relationshipthat define which entities can assume this role
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowAssumeRoleFromAccountB",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::ACCOUNT_B_ID:role/account_b_role"
},
"Action": "sts:AssumeRole"
}
]
}
You can also set Conditions to filter which entities can AssumeRole and even configure AssumeRoleWithWebIdentity for users who have been authenticated with a web identity provider.
- a
Permission Policythat defines what this role can do, for example,aps:remoteWriteto AWS Managed Prometheus
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PrometheusRemoteWrite",
"Effect": "Allow",
"Action": [
"aps:remoteWrite"
],
"Resource": "aws_managed_prometheus_arn"
}
]
}
Account B
In AccountB, create a role account_b_role with a single policy (for this purpose) that can assume the role of AccountA
- a
Permission Policythat defines thests:AssumeRolepermission
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PrometheusRemoteWrite",
"Effect": "Allow",
"Action": [
"sts:AssumeRole"
],
"Resource": "arn:aws:iam::ACCOUNT_A_ID:role/account_a_role"
}
]
}
IRSA or Pod Identities
This topic is not cover in this post, but if you want to configure an EKS service account to assume an AWS role to perform the above take a look at EKS Pod Identities and IAM roles for service accounts