Login/Register
Configure AWS Role to switch between Organization Accounts
Asked Answered
amazon-web-servicesamazon-iamamazon-policy
B

1

2

I'm trying to follow the instructions in How can I allow a Group to assume a Role?, but run into the following error when I try to switch roles:

Invalid information in one or more fields. Check your information or contact your administrator.

In this scenario I have three AWS Accounts with example ids

  • CompanyMain - 000000000001
  • CompanyProd - 000000000002
  • CompanyDev - 000000000003

Where the main account has an organization that includes the the prod and dev accounts

aws organizations

What I'd like to do is set up a single set of IAM users on the main account and allow them to login and switch between either of the two subaccounts, instead of forcing everyone to have three separate logins.

Here's what I've done so far all on the CompanyMain account:

  1. Create Role for accessing Prod Account

    Set trusted Entity to "Another AWS Account"

    Create Role > Another Account

    Set Permission Policy to AdministratorAccess

    So when I go to Role > "Trust Relationship" > Show Policy Document - it looks like this:

    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::000000000002:root"
      },
      "Action": "sts:AssumeRole",
      "Condition": {}
    }
  ]
}

    With the name "company-prod-admin" so the ARN is like this:

    arn:aws:iam::000000000001:role/company-prod-admin

    This also comes with the link to switch roles as follows:

    https://signin.aws.amazon.com/switchrole?roleName=company-prod-admin&account=000000000001

  2. Create a Policy to Assume this Role

    Service: STS Actions: AssumeRole Role ARN: arn:aws:iam::000000000001:role/company-prod-admin

    Policy Assume Role

    So the Policy Document looks like this:

    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "sts:AssumeRole",
      "Resource": "arn:aws:iam::000000000002:root"
    }
  ]
}

  3. Create Admin Group

    Create a group on the main account called admin and attach the policy we just created

  4. Create IAM User

    Create user on the main account and place in admin group

Sign in as IAM User

I can now sign in as an IAM user against the main account

From there, I'd like to switch roles by using the role link or going to https://signin.aws.amazon.com/switchrole and entering the account / role info

switch role

However, I get the error that the following info is invalid

Org Setup Question

How can I create roles that across organizations? I'm a little confused as to where the role / permission needs to originate between the three accounts, but ideally I'd like to have a way for someone to login to one set of permissions for the whole organization.

Boorish answered 10/11, 2020 at 1:35 Comment(1)
Hey have you looked closely at AWS SSO service? See aws.amazon.com/single-sign-onOtoscope
B
1

You need to do the IAM policy the other way around if you want to be able to access the CompanyProd from CompanyMain then you need to create a IAM policy in the CompanyProd like this:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::000000000001:root"
      },
      "Action": "sts:AssumeRole",
      "Condition": {}
    }
  ]
}

Next you login into the MainCompany and go to switch role. in the Account, you write 000000000002, in the Role field you write root.

Bosnia answered 12/3, 2021 at 13:19 Comment(1)
How do you access the new account to add this policy if created within Organisations. I thought the policy got created automatically in new account but when i try to switch i get an error. WHen i created the new account, i didnt get any login detailsAppositive

© 2022 - 2024 — McMap. All rights reserved.