2 Answers
- Newest
- Most votes
- Most comments
1
Session Manager does not support cross-account access. You're correct that instances are associated with just one account (generally for EC2 instances the account they're running in). You will need to assume a Role in account B (for example, from your user/role in account A) before starting the session.
0
The best way is using profiles on your CLI credentials file. Use --profile in aws command.
answered a year ago
Relevant content
- asked 3 years ago
- asked 7 years ago
- asked a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 6 months ago
- AWS OFFICIALUpdated a year ago
Thanks James. This addresses my concern.
However, is there any other way how we can define the Assume Role option. As far as i know, through CLI we need to fetch the sts credentials to temporarily assume the new role.
if we can make it seamless by just defining the same in say Account B's role's trusted identity section or something. I mean just wanted to know if there is some way where the user trying to establish the session just needs to mention the instance ID and they are done
There's a feature in AWS CLI (which also works for the SDKs) where you can specify in a profile that it should be automatically assumed from another profile. For example, you could create an "account-b" profile, which will automatically use "account-a" to assume it. Then you can just specify
--profile account-b
for your command. The configuration option issource_profile
; see the docs here for more: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-role.htmlAdding (having re-read your comment) that beyond the role assumption part, you would need some logic to find the right account for an instance ID, which could be possible with something like AWS Config Aggregator as you could query it (including via the CLI) for the account ID for a given instance, and then have a script select the correct profile based on that. Docs for Config Aggregator are here: https://docs.aws.amazon.com/config/latest/developerguide/aggregate-data.html