IAM role to access services of another AWS account

Question

For security reasons, we have a dev, QA, and a prod AWS account. We are using IAM roles for instances. This is working correctly per account basis.

Now the recruitment here is we want to access multiple aws services {such as S3, SQS, SNS, EC2,etc.} on one of EC2 instance of QA account from Dev aws account.

We have created STS policy and role allowing Trusted entities as another AWS account, but somehow not able to attach this role to EC2 instance.

Example STS policy:

{
"Version": "2012-10-17",
"Statement": {
    "Effect": "Allow",
    "Action": "sts:AssumeRole",
    "Resource": "arn:aws:iam::546161XXXXXX:role/AdminAccessToAnotherAccount"
   }
}

AdminAccessToAnotherAccount: This aws policy on another account with admin access.

This role is not listed while attaching to the ec2 instance.

Answer 1

It appears that your situation is:

• You have an EC2 instance in Account-1
• An IAM Role ("Role-1") is assigned to the EC2 instance
• You want to access resources in Account-2 from the EC2 instance

The following steps can enable this:

• Create an IAM Role in Account-2 ("Role-2") with the permissions you want the instance to receive
• Add a Trust policy to Role-2, trusting Role-1
• Confirm that Role-1 has permission to call AssumeRole on Role-2
• From the EC2 instance using Role-1, call AssumeRole on Role-2
• It will return a set of credentials (Access Key, Secret Key, Token)
• Use those credentials to access services in Account-2 (via aws configure --profile foo or an API call).
  • If use aws configure, you will also need to manually edit the ~/.aws/credentials file to add the aws_session_token to the profile, since it is not requested by the CLI command.

Examples:

• Using Temporary Security Credentials to Request Access to AWS Resources
• Cross-Account Access Control with Amazon STS for DynamoDB