Skip to content
This repository has been archived by the owner on Nov 8, 2021. It is now read-only.

Use IAM accounts from another AWS account #21

Closed
mvanbaak opened this issue Feb 23, 2017 · 7 comments
Closed

Use IAM accounts from another AWS account #21

mvanbaak opened this issue Feb 23, 2017 · 7 comments
Labels
feature
Milestone
v1.0

Comments

@mvanbaak
Copy link
Contributor

Consider the following setup:

  • one AWS account (lets call it management) which has all IAM users etc
  • multiple AWS accounts (test, staging, production) running EC2 instances

Can you provide any pointers in how we should get the users from the management account on instances in the test/staging/production account?

This way we can manage all users in one account, while using them in many. (following AWS best practices)
@michaelwittig
Copy link
Contributor

  1. Create a IAM role in the account with the users. Assign the policies mentioned here https://github.com/widdix/aws-ec2-ssh/blob/master/iam_ssh_policy.json and assign a trust relationship to the other accounts as described here: http://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-sharing-logs-third-party.html
  2. in the authorized_keys_command.sh and the import_user.sh script assume that role like this
CRED=$(aws sts assume-role --role-arn "arn:aws:iam::$AccountId2:role/$RoleName" --role-session-name something --query [Credentials.SessionToken,Credentials.AccessKeyId,Credentials.SecretAccessKey] --output text)

export AWS_ACCESS_KEY_ID=$(echo $CRED | cut -d ' ' -f 2)
export AWS_SECRET_ACCESS_KEY=$(echo $CRED | cut -d ' ' -f 3)
export AWS_SESSION_TOKEN=$(echo $CRED | cut -d ' ' -f 1)
export AWS_SECURITY_TOKEN=$(echo $CRED | cut -d ' ' -f 1)

@mvanbaak
Copy link
Contributor Author

Thanks for the super quick reply. Going to test it right away

@michaelwittig
Copy link
Contributor

one thing I forgot: the ec2 instances must be allowed to call the sts:AssumeRole action

let me know if it works. I guess this would be interesting for other people as well.

@mvanbaak
Copy link
Contributor Author

Import_users.sh tested: works.

I'm testing the scripts without provisioning them at the moment as I will need to fold this into our cf templates.
I'll now manually setup the sshd authorized_keys_command thing to test that part as well. But I think it will work based on the success in the import_users.sh

@mvanbaak
Copy link
Contributor Author

BAM, works! Thanks a lot for your help!

@mvanbaak
Copy link
Contributor Author

I'll cook up a version for my needs and show you what I got. Maybe if I have enough time I can create a nice pr, if not I'll point you to my implementation and you can pick from it if you want ;-)

(sorry, too many things to do in too little time, cant promise to be a good citizen and create a PR)

@mvanbaak mvanbaak mentioned this issue Feb 23, 2017
Closed
@michaelwittig michaelwittig added this to the v1.0 milestone Mar 24, 2017
@michaelwittig michaelwittig mentioned this issue Mar 28, 2017
Closed
@michaelwittig
Copy link
Contributor

merged into master

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
feature
Projects
None yet
Milestone
v1.0
Development

No branches or pull requests
2 participants
@michaelwittig @mvanbaak