AWS Java SDK: AssumeRole from EC2 instance profile?
Question
I have an application running on an EC2 instance that has an IAM profile that has EC2 describe on the account in which it resides. It also has AssumeRole for another account (that role grants EC2 describe as well). Here is what my IAM role on the principal account looks like:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:Describe*",
"Resource": "*"
},
{
"Sid": "{SID}",
"Effect": "Allow",
"Action": [
"sts:AssumeRole"
],
"Resource": [
"arn:aws:iam::{ACCT_NUM}:role/{ROLE_NAME}"
]
}
]
}
Here is the IAM role from the secondary account:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:Describe*",
"Resource": "*"
}
]
}
Basically what I need to do is get the EC2 instances from both accounts. Is this possible with the current SDK? Currently I am only getting the instances from the principal account.
2 answers
solution1
3 2017-11-08 23:37:05
Adding ec2:AssumeRole does not automatically propagate commands across the accounts.
You must call ec2:DescribeInstances once for each AWS account & region that you want to pull instance information from.
Your IAM role for EC2 gives you access to the primary account. Calling ec2:DescribeInstances with those credentials alone will give you EC2 instance information for that account alone.
Next, you need to call ec2:AssumeRole to receive new credentials for the secondary account. Once you have those, you use those to call ec2:DescribeInstances for the secondary account.
solution2
1 ACCPTED 2017-11-08 23:31:24
Yes, you can with the SDK. After you list the EC2 instances using credentials from the main (default) account, you then use STS to call AssumeRole() to get credentials for the cross account. Then list those EC2 instances.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.