在不同 AWS 账户中启动和停止 EC2 实例的 IAM 策略/角色设置

Question

I would like to start and stop EC2 instances in an AWS account (Account: AAA) from another AWS account (Account: BBB). Specifically, I am setting up an API to do this on ECS in Account BBB. When I tested the API for starting and stopping the accounts in the same Account it worked fine. However, I am not able to get the IAM roles to work across multiples accounts right.

My API uses boto3 and uses describe_instance_status to identify the instance status and then uses start_instances or stop_instances to start/stop. All this works fine as long as the EC2 instances are in the same account as the ECS that hosts the API.

To work this across multiple Accounts. I did the following but I am getting the error:

"botocore.exceptions.ClientError: An error occurred (UnauthorizedOperation) when calling the DescribeInstanceStatus operation: You are not authorized to perform this operation.botocore.exceptions.ClientError: An error occurred (UnauthorizedOperation) when calling the DescribeInstanceStatus operation: You are not authorized to perform this operation."

My setup is as follows:

1. In the account AAA that hosts the EC2 instances I created a policy that looks like below. BBB stands for the Account hosting the ECS task that runs the API.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "ec2:DescribeInstanceStatus",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:StartInstances",
                "ec2:StopInstances"
            ],
            "Resource": "arn:aws:ec2:*:AAA:instance/*",
            "Condition": {
                "StringEqualsIgnoreCase": {
                    "ec2:ResourceTag/ManagedBy": "API"
                }
            }
        }
    ]

2. Created a role (ec2-instance-mgmt-role) that uses the above policy with a trust relationship to Account: BBB.

3. In Account BBB, I created a policy (ec2-assume-managerole) that looks like below where AAA is the account name of the account that hosts the EC2 instances.

{
    "Version": "2012-10-17",
    "Statement": {
        "Effect": "Allow",
        "Action": "sts:AssumeRole",
        "Resource": "arn:aws:iam::AAA:role/ec2-instance-mgmt-role"
    }
} 

4. In Account BBB, I created a role with the policy in (3) attached. Additionally, I created the trust relationship to ecs-tasks for this role.

Fragment of my boto3 code to start is below:

ec2 = boto3.client('ec2', region_name=region_name)

resp = ec2.describe_instance_status(
        InstanceIds=[str(instance_id)],
        IncludeAllInstances=True)

print("Response = ",resp)

instance_status = resp['InstanceStatuses'][0]['InstanceState']['Code']

print("Instance status =", instance_status)

if instance_status == 80:
    ec2.start_instances(InstanceIds=[instance_id])
    print("Started instance with Instance_id",instance_id)
    return {'message': 'instance started'}
else:
     print("Instance not in a state to start")
     return {'message': 'instance not in a state to be started'}

5. Assigned the role created in Step (4) as the Task Role of the ECS Task that defines the Container of the API that is built to start and stop EC2 instances. The ECS instance is running in account BBB.

When I try to call this API I get the error described in the beginning which is pasted below as well.

"botocore.exceptions.ClientError: An error occurred (UnauthorizedOperation) when calling the DescribeInstanceStatus operation: You are not authorized to perform this operation.botocore.exceptions.ClientError: An error occurred (UnauthorizedOperation) when calling the DescribeInstanceStatus operation: You are not authorized to perform this operation."

Answer 1

Finally, I was able to solve this problem. What I had missed was I was not assuming the role in the boto3 code. Once that was added it worked. Following code shows the function that is called to assume role and the code below that shows the usage to describe ec2 instance status after assuming the role.

def assume_role(role_arn):
    sts_client = boto3.client('sts')

    letters = string.ascii_letters
    session_name = f"AssumeRoleSession{random.choice(letters)}"
    assumed_role_object=sts_client.assume_role(
        RoleArn=role_arn,
        RoleSessionName=session_name
    )

    credentials=assumed_role_object['Credentials']

    print(f"Credentials: {credentials}")

    ec2_resource=boto3.resource(
                                    'ec2',
                                    aws_access_key_id=credentials['AccessKeyId'],
                                    aws_secret_access_key=credentials['SecretAccessKey'],
                                    aws_session_token=credentials['SessionToken'],
                                )


    return ec2_resource


 ec2_resource = assume_role(assume_role_arn)
  
 ec2 = ec2_resource.meta.client

 resp = ec2.describe_instance_status(
            InstanceIds=[str(instance_id)],
            IncludeAllInstances=True)