AWS Cross-account access based on Role permissions allows resources in one AWS account to access resources in another AWS account securely. This is achieved by creating roles in the current account (account A) that define the permissions needed, and then allowing users or resources in the another account (account B) to assume those roles.


TABLE OF CONTENTS

Create Policy permissions for Kublr cluster installation in account A

Based on this article for cluster installation you need to make IAM Policy:

  • Access AWS ConsoleIAMPoliciesCreate Policy
  • Choose JSON tab,  put policy name and save.

Create Role with permissions for Kublr cluster installation in account A

  • Access AWS ConsoleIAMRolesCreate Role
  • Choose Trusted entity typeCustom trust policyThis account A (Options depends on companies AWS security settings) 
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::{Account_ID_A}:user/{User_Name}"
            },
            "Action": "sts:AssumeRole",
            "Condition": {}
        }
    ]
}
  • Add permissions → Choose early created Policy
  • Review details and Create role.  


Assign Role for User in account A

  • Create Policy for Assuming Role
{
    "Version": "2012-10-17",
    "Statement": {
        "Effect": "Allow",
        "Action": "sts:AssumeRole",
        "Resource": "arn:aws:iam::{Account_ID_A}:role/{Role_Name}"
    }
}
  • Attach this Policy for User in account A
  • In Kublr UI edit/add credentials with Role ARN and verify:

Assign Role for User in account B

  • For Role in account A edit Trusted entities→ Add User from account B Update policy
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::{Account_ID_A}:user/{User_Name}"
            },
            "Action": "sts:AssumeRole",
            "Condition": {}
        },
           {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::{Account_ID_B}:user/{User_Name}"
            },
            "Action": "sts:AssumeRole",
            "Condition": {}
        }
    ]
}
  • For User in account B create Policy for Assuming Role from account A
{
    "Version": "2012-10-17",
    "Statement": {
        "Effect": "Allow",
        "Action": "sts:AssumeRole",
        "Resource": "arn:aws:iam::{Account_ID_A}:role/{Role_Name}"
    }
}
  • Attach this Policy for User in account A
  • In Kublr UI edit/add credentials for User in account B with Role ARN and verify

 

Now both users can create/edit/delete clusters based on Role assign policy and permissions. 

Individual IAM Role sessions settings described in this article feel free to use it as well.