Skip to content

EN_AWS

Jump to bottom
somaz edited this page Oct 23, 2024 · 15 revisions

1. AWS Assume Role

AWS Assume Role is a way to obtain temporary security credentials (access keys, secret access keys, and session tokens) to access AWS resources in another account or with different permissions within the same account.

  • The sts:AssumeRole action allows you to assume a role that exists in another AWS account or within your own account. When you assume a role, you temporarily gain the permissions associated with that role.
  • Cross-account access: You can assume a role in another AWS account to access resources in that account.
  • Within the same account: Assume a role with different permissions than the user or service executing the current command.

Example of using Assume Role

The following is how to use Assume Role to grant account A access to account B's EKS resources.

1. Create IAM Role in Account B

  • 1-1. Create an IAM role in Account B with a trust policy that allows Account A to assume this role. This role grants permission to manage EKS resources in Account B.

Example of creating the AssumeRole role in Account B:

{
  "Version": "2012-10-17",å
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:root"  // Account A ID
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
  • 1-2. Attach EKS permissions to the role in Account B. Attach required EKS policies, such as AmazonEKSClusterPolicy or custom permissions, to the role to manage EKS resources.

2. Create an IAM policy in Account A

  • 2-1. In Account A, create an IAM policy that allows users or services in Account A to assume roles in Account B.

Example Account A policy:

코드 복사
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "sts:AssumeRole",
      "Resource": "arn:aws:iam::111122223333:role/EKSAdminRole"  // Role ARN in Account B
    }
  ]
}
  • Attach this policy to the required user, group, or role in Account A.

3. Assuming the role in Account A

  • 3-1. A user or service that has the Assume Role policy in Account A can now assume the role in Account B using the AWS CLI, SDK, or AWS Console.

AWS CLI example:

aws sts assume-role \
  --role-arn arn:aws:iam::111122223333:role/EKSAdminRole \
  --role-session-name eks-session
  • This command provides temporary credentials (access key, secret key, and session token) that Account A can use to access and manage EKS resources in Account B.

4. Using temporary credentials for access

  • 4-1. After assuming the role, you can use your temporary credentials to interact with EKS resources in Account B with the permissions of Account A.

Example of updating kubeconfig to manage an EKS cluster in Account B:

aws eks --region us-west-2 update-kubeconfig --name eks-cluster \
  --role-arn arn:aws:iam::111122223333:role/EKSAdminRole
  • You can now use kubectl from Account A to manage the EKS cluster in Account B.
Clone this wiki locally