Hi,
we have a situation where an application running in a k8 environment of a different account have to access the athena and the glue data catalog in a different account.
since these two accounts are managed in two different ecosystem. we are looking to make it easy for ourselves to access the athena and run query as a cross account IAM role
we are aware of this https://docs.aws.amazon.com/athena/latest/ug/security-iam-cross-account-glue-catalog-access.html
but we are looking to see if this is even possible:
details below
- An app runs in account A (k8 environ) using IRSA role A that will have a sts:assumeRole of Account B . role name is B
2.in Account B the role name B is created for trust policy with Account A and the policy allows athena and glue access (lets assume all permssions)
- The app creates a new AWS session using the new credentials and session token from the assumed AccountB-roleB, and calls Athena/Glue/S3 to do stuff
while i haven't tried it yet. i just want to know if i am missing anything and worth trying it out.
please provide why or whynot this is feasible with more material and pointers.
Thanks