AWS re:Post을(를) 사용하면 다음에 동의하게 됩니다. AWS re:Post 이용 약관
AWS re:Postre:Post

Cross account assume role inside organization

0

Hi, I have an AWS organization with multiple account (root_account, account_1, account_2, ... account_n). What I'm trying to do is, starting from an user in root_account, be able to assume role in any of the others organization accounts (account_x). In every account_x I've created a role account_example_role with the following trust relationship:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::<root_account_id>:role/root_example_role"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

while in root_account I have the role root_example_role with the following plicy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "sts:AssumeRole"
            ],
            "Resource": [
                "arn:aws:iam::<account_1>:role/account_example_role",
                "arn:aws:iam::<account_2>:role/account_example_role",
                ...
                "arn:aws:iam::<account_x>:role/account_example_role"
            ]
        }
    ]
}

and this seems to work, but it's hard to maintain.

I was wondering if there is a way to specify an organization wide role arn inside the root_example_role policy, something like this:

"Resource": "arn:aws:organizations::<root_account_id>:organization/o-<org-ID>/role/account_example_role"

so that it's no longer needed to update the root_example_role policy for every new account in the organization.

주제
보안, 신원 및 규정 준수관리 및 거버넌스
태그
AWS 자격 증명 및 액세스 관리AWS 계정 관리IAM 정책
언어
English
Gigitsu
질문됨 일 년 전1450회 조회
2개 답변
0

I wonder if a Global condition would work in this situation. Something like this:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "sts:AssumeRole"
            ],
            "Resource": [
                "arn:aws:iam::*:role/account_example_role"
            ].
            "Condition": { "StringEquals": { "aws:ResourceOrgID": "${aws:PrincipalOrgID}"  }  }
        }
    ]
}
profile pictureAWS
전문가
kentrad
답변함 일 년 전
  • Gigitsu
    일 년 전

    Thank you for your answer, but it doesn't seems to work :(

    I get this error:

    This policy does not grant any permissions. To grant access, policies must have an action that has an applicable resource or condition. For details, choose Show remaining Learn more

    And if I open the Show more menu I find this warning:

    aws:ResourceOrgID   One or more conditions do not have an applicable action.

    It seems that ResourceOrgId (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourceorgid) isn't available for every actions, but should work for sts actions.

  • Gigitsu
    일 년 전

    This is the policy I tried:

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "sts:AssumeRole",
                "sts:TagSession"
            ],
            "Resource": "arn:aws:iam::*:role/account_example_role",
            "Condition": { "StringEquals": { "aws:ResourceOrgID": "${aws:PrincipalOrgID}"  }  }
        }
    ]
}
0

IAM roles are linked to a particular AWS account an not to the whole organization. So you still need to mention each account's role arn in the root_example_role policy

Chandra Y M
답변함 일 년 전
  • Gigitsu
    일 년 전

    Hi, thank you for you answer, but I don't fully get it. I know that roles are bound to an account and not to an organization, but so are other resources too and I am still capable to grant permissions to a particular resource in an organization using conditions (es. PrincipalOrgID).

    What's the difference with roles?

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠