Cross account athena based only on cross account IAM role Possible?

Question

Hi, 
we have a situation where an application running in a k8 environment of a different account have to access the athena and the glue data catalog in a different account.

since these two accounts are managed in two different ecosystem. we are looking to make it easy for ourselves to access the athena and run query as a cross account IAM role 
we are aware of this https://docs.aws.amazon.com/athena/latest/ug/security-iam-cross-account-glue-catalog-access.html 
but we are looking to see if this is even possible: 
details below
1. An app runs in account A (k8 environ) using IRSA role A that will have a sts:assumeRole of Account B . role name is B
2.in Account B the role name B is created for trust policy with Account A and the policy allows athena and glue access (lets assume all permssions) 
3. The app creates a new AWS session using the new credentials and session token from the assumed AccountB-roleB, and calls Athena/Glue/S3 to do stuff
while i haven't tried it yet. i just want to know if i am missing anything and worth trying it out. 
please provide why or whynot this is feasible with more material and pointers.

Thanks

Answer

Hi,

Please refer to the AWS Re:post article [1] on how to set up cross-account access to resources using IAM to assume role in another AWS account.
You can also refer to our AWS Re:post article [2] on how to set up a cross-account AWS Glue Catalogs using catalog resource policies.

[1] https://repost.aws/knowledge-center/cross-account-access-iam

[2] https://repost.aws/knowledge-center/glue-tables-cross-accounts

Cross account athena based only on cross account IAM role Possible?

Relevant content