Assume Role Authentication to Create Resources in Different AWS Accounts

Day 6

In modern cloud infrastructures, it’s common to have multiple AWS accounts to ensure better isolation, security, and manageability of resources. However, managing resources across multiple accounts can be tricky if you don’t have a centralized way of accessing them. This is where AWS IAM (Identity and Access Management) Roles come in handy. Specifically, Assume Role Authentication enables users or services to securely gain temporary access to resources in other AWS accounts.

In this blog, we’ll dive into how Assume Role Authentication works, why it’s useful for managing resources across different AWS accounts, and how you can implement it effectively.

What is Assume Role Authentication?

AWS IAM allows you to create roles that define a set of permissions. These roles can be assumed by trusted entities (like other IAM users, services, or federated users). When an entity assumes a role, it temporarily acquires the permissions defined in that role. This is useful when you need to allow access to resources across different AWS accounts securely, without creating IAM users in each account.

For example, imagine your organization has separate AWS accounts for development, testing, and production environments. Instead of creating IAM users in every account (which can be cumbersome to manage), you can create a role in the target account that grants necessary permissions. Then, users in the source account can assume that role to perform specific actions in the target account.

How to Implement Assume Role Authentication

To set up Assume Role Authentication, follow these steps:

Step 1: Create the Role in the Target Account

First, create an IAM role in the target account that specifies the permissions it will grant when assumed.

1. Sign in to the AWS Management Console for the target account.
2. Navigate to IAM and select Roles.
3. Click Create role.
4. Choose Another AWS account as the trusted entity and enter the Account ID of the source account.
5. Attach the required policies that define the permissions for the role (e.g., permissions to create resources like EC2, S3, etc.).
6. Review the role and give it a descriptive name, such as CrossAccountAccessRole.

Step 2: Create a Trust Relationship in the Target Account

Once the role is created, you need to set a trust policy to allow users or services in the source account to assume the role.

In the Trust Relationship tab of the role:

• Modify the trust policy to look something like this:

{ "Version": "2012–10–17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::<Source_Account_ID>:root" }, "Action": "sts:AssumeRole" } ] }

This allows the source account (identified by <Source_Account_ID>) to assume the role and gain the permissions you defined.

Step 3: Assume the Role from the Source Account

Now, users or services in the source account can assume the role and gain access to the target account’s resources.

You can use the AWS CLI, SDKs, or Terraform to assume the role programmatically. For example, to assume the role via the AWS CLI, run the following command:

aws sts assume-role --role-arn arn:aws:iam::<Target_Account_ID>:role/CrossAccountAccessRole --role-session-name MySession

This will return temporary security credentials (Access Key ID, Secret Access Key, and Session Token), which can be used to authenticate API requests to the target account.

In Terraform, you can configure the provider to assume a role like so:

provider "aws" {
  region  = "us-west-2"
  assume_role {
    role_arn = "arn:aws:iam::<Target_Account_ID>:role/CrossAccountAccessRole"
    session_name = "TerraformSession"
  }
}

Once the role is assumed, you can interact with the target account as if you were a user in that account, creating or managing resources as required.

Conclusion

Assume Role Authentication is an efficient way to manage resources across different AWS accounts. By allowing users to assume roles with defined permissions, you can centralize your IAM management and improve security. With the right configuration, this approach provides a scalable and secure solution for your multi-account AWS environment.

In the next blog, we’ll dive into another useful approach: using an EC2 instance with attached roles to run Terraform and manage your AWS infrastructure.