Using AWS, I'm building a cloud formation stack defining the following:
MyPolicy
allowing to use those resources (for the sake of simplicity, not transcribed below)MyRole
submitted to that policyThe stack will be created by an admin; and once created, the goal is to allow (from outside the stack) some users to assume MyRole
in order to use the several resources.
My question: How should the role be defined in order be assumable by users (specific users would be allowed from outside the stack)?
In AWS help page, they give an example where "Service": [ "ec2.amazonaws.com" ]
, meaning that an ec2
instance is allowed to assume that rôle... But I don't understand how it translates to users, and no example is given regarding that scenario.
Below is my stack definition using JSON
format:
{
"AWSTemplateFormatVersion" : "2010-09-09",
"Resources" : {
"MyRole" : {
"Type": "AWS::IAM::Role",
"RoleName": "MyRole",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": { "Service": [ "??" ] },
"Action": [ "sts:AssumeRole" ]
}
]
},
"ManagedPolicyArns": [ { "Fn::GetAtt" : [ "MyPolicy", "Arn" ] } ],
}
}
}
Good question! Simply use your root user ARN as the principal. This will allow you to control which user can assume the role using IAM. Here's an example (in YAML for my own sanity):
AdministratorRole:
Type: AWS::IAM::Role
Properties:
RoleName: administrator
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
AWS: !Sub arn:aws:iam::${AWS::AccountId}:root
Action: sts:AssumeRole
Condition:
Bool:
aws:MultiFactorAuthPresent: 'true'
Path: "/"
ManagedPolicyArns:
- arn:aws:iam::aws:policy/AdministratorAccess
AssumeAdministratorRolePolicy:
Type: AWS::IAM::ManagedPolicy
Properties:
ManagedPolicyName: "AssumeRolePolicy-Administrator"
Description: "Assume the administrative role"
PolicyDocument:
Version: "2012-10-17"
Statement:
- Sid: "AssumeAdministratorRolePolicy"
Effect: "Allow"
Action:
- "sts:AssumeRole"
Resource: !GetAtt AdministratorRole.Arn
AssumeAdministratorRoleGroup:
Type: AWS::IAM::Group
Properties:
GroupName: "AssumeRoleGroup-Administrator"
ManagedPolicyArns:
- !Ref AssumeAdministratorRolePolicy
Only thing left is to add user to the AssumeRoleGroup-Administrator group.
Bonus: I've added a condition to only allow users that have logged using MFA to assume the role.
Also, just swap your ${AWS::AccountId}
for another account ID you own and you can cross-account assume roles easily.
Let says you want Account B
can assume the Role to Access Account A
to have custom list S3 access and AWS managed Rout53 Full access:
Then use Account A
for the CloudFormation below:
Parameters:
AccountBId:
Type: String
environment:
Type: String
Default: development
AllowedValues:
- development
- production
Resources:
# Account A:
ListS3Access:
Type: AWS::IAM::ManagedPolicy
Properties:
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- "s3:ListAllMyBuckets"
- "s3:ListBucket"
- "s3:ListBucketVersions"
- "s3:GetObject"
Resource: '*'
TestRole:
Type: AWS::IAM::Role
Description: Test Role
DependsOn:
- ListS3Access
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
AWS: !Sub 'arn:aws:iam::${AccountBId}:root'
Action: sts:AssumeRole
ManagedPolicyArns:
- !Ref ListS3Access
- arn:aws:iam::aws:policy/AmazonRoute53FullAccess
Tags:
- Key: environment
Value: !Ref environment
After you run the Account A
cloudformation, you should get the TestRole
arn, save it for Account B
later usage
On the Account B
for the CloudFormation Below:
Parameters:
AccountAId:
Type: String
roleName:
Type: String
Default: xxxxxxxxx
Resources:
AssumeTestRolePolicy:
Type: AWS::IAM::ManagedPolicy
Properties:
Description: "Assume My Test role"
PolicyDocument:
Version: "2012-10-17"
Statement:
- Sid: "AssumeTestRolePolicy"
Effect: "Allow"
Action:
- "sts:AssumeRole"
Resource: !Sub 'arn:aws:iam::${AccountAId}:role/${roleName}'
AssumeTestRoleGroup:
Type: AWS::IAM::Group
DependsOn:
- AssumeTestRolePolicy
Properties:
GroupName: "AssumeRoleGroup"
ManagedPolicyArns:
- !Ref AssumeTestRolePolicy
when you run the Account B
cloudFormation, give the TestRole
Arn you got from Account A
, and provide it to roleName
After both cloudFormation has been deploy, login to Account B
, assign the user to the group, and you should be able use the user to switch the Role.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.