使用 AWS re:Post 即表示您同意 AWS re:Post 使用條款
AWS re:Postre:Post

Cross account assume role inside organization

0

Hi, I have an AWS organization with multiple account (root_account, account_1, account_2, ... account_n). What I'm trying to do is, starting from an user in root_account, be able to assume role in any of the others organization accounts (account_x). In every account_x I've created a role account_example_role with the following trust relationship:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::<root_account_id>:role/root_example_role"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

while in root_account I have the role root_example_role with the following plicy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "sts:AssumeRole"
            ],
            "Resource": [
                "arn:aws:iam::<account_1>:role/account_example_role",
                "arn:aws:iam::<account_2>:role/account_example_role",
                ...
                "arn:aws:iam::<account_x>:role/account_example_role"
            ]
        }
    ]
}

and this seems to work, but it's hard to maintain.

I was wondering if there is a way to specify an organization wide role arn inside the root_example_role policy, something like this:

"Resource": "arn:aws:organizations::<root_account_id>:organization/o-<org-ID>/role/account_example_role"

so that it's no longer needed to update the root_example_role policy for every new account in the organization.

主題
安全性、身分識別與合規管理與治理
標籤
AWS Identity and Access ManagementAWS Account ManagementIAM 政策
語言
English
Gigitsu
已提問 1 年前檢視次數 1451 次
2 個答案
0

I wonder if a Global condition would work in this situation. Something like this:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "sts:AssumeRole"
            ],
            "Resource": [
                "arn:aws:iam::*:role/account_example_role"
            ].
            "Condition": { "StringEquals": { "aws:ResourceOrgID": "${aws:PrincipalOrgID}"  }  }
        }
    ]
}
profile pictureAWS
專家
kentrad
已回答 1 年前
  • Gigitsu
    1 年前

    Thank you for your answer, but it doesn't seems to work :(

    I get this error:

    This policy does not grant any permissions. To grant access, policies must have an action that has an applicable resource or condition. For details, choose Show remaining Learn more

    And if I open the Show more menu I find this warning:

    aws:ResourceOrgID   One or more conditions do not have an applicable action.

    It seems that ResourceOrgId (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourceorgid) isn't available for every actions, but should work for sts actions.

  • Gigitsu
    1 年前

    This is the policy I tried:

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "sts:AssumeRole",
                "sts:TagSession"
            ],
            "Resource": "arn:aws:iam::*:role/account_example_role",
            "Condition": { "StringEquals": { "aws:ResourceOrgID": "${aws:PrincipalOrgID}"  }  }
        }
    ]
}
0

IAM roles are linked to a particular AWS account an not to the whole organization. So you still need to mention each account's role arn in the root_example_role policy

Chandra Y M
已回答 1 年前
  • Gigitsu
    1 年前

    Hi, thank you for you answer, but I don't fully get it. I know that roles are bound to an account and not to an organization, but so are other resources too and I am still capable to grant permissions to a particular resource in an organization using conditions (es. PrincipalOrgID).

    What's the difference with roles?

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南

相關內容