AWS associate ip with instance in other account

0

I have a problem that I'm trying to fix for my school project.

Let's say I have account A and my friend accounts B.

each one of us as 1 instance ubuntu, and I want to transfer/allocate my elastic ip (if a program fails) to his instance through AWS CLI.

both instances are in the same vpc, same subnet.

so I have a script that disassociates the elastic ip and associates the new one to his instance like this.

aws ec2 disassociate-address --public-ip 00.00.000.00

(maybe on the script here I have to tranfer the elastic ip or make the awscli access his account?)

aws ec2 associate-address --public-ip 00.00.000.00 --instance-id i-00000000

of course, it won't work because the AWS CLI is connected to my account but I can't seem to find a way to make this work.

Possible ways, transfer ip but don't know how to do it in an automated way, iam roles?

I don't mind having both instances on one account but since we are 2 I would like to take advantage of the free tier since it's our first time using aws.

Any idea how I can make this work?

2 Risposte
0

Greetings,

AWS account the necessary permissions to manage Elastic IPs in your account. You'll need to create a cross-account role in your account and have your friend assume that role in their account to execute the necessary AWS CLI commands.

Here's a step-by-step guide to achieve this:

In your AWS account, create an IAM role with the following trust policy. Replace 123456789012 with your friend's AWS account ID:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:root"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Attach a policy to the role you created in step 1 with the necessary permissions to manage Elastic IPs. You can create a custom policy like this:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ec2:AssociateAddress",
        "ec2:DisassociateAddress"
      ],
      "Resource": "*"
    }
  ]
}

Note the ARN of the role you created in step 1. It will look like this: arn:aws:iam::your_account_id:role/RoleName

In your friend's AWS account, they should configure a CLI profile with their account credentials. They can do this by running aws configure --profile friend-profile, and then entering their access key, secret key, and default region.

Your friend can then assume the role you created in your account by running the following command:

aws sts assume-role --role-arn arn:aws:iam::your_account_id:role/RoleName --role-session-name FriendSession --profile friend-profile

This command will return temporary credentials (AccessKeyId, SecretAccessKey, and SessionToken) that they need to use when running AWS CLI commands with the assumed role.

They can now use the temporary credentials to disassociate and associate the Elastic IP in your account using the AWS CLI. They should set the following environment variables:

export AWS_ACCESS_KEY_ID=AssumedRoleAccessKeyId
export AWS_SECRET_ACCESS_KEY=AssumedRoleSecretAccessKey
export AWS_SESSION_TOKEN=AssumedRoleSessionToken

Replace AssumedRoleAccessKeyId, AssumedRoleSecretAccessKey, and AssumedRoleSessionToken with the actual values from step 5.

Finally, your friend can run the disassociate and associate commands using the temporary credentials:

aws ec2 disassociate-address --public-ip 00.00.000.00
aws ec2 associate-address --public-ip 00.00.000.00 --instance-id i-00000000

This way, you can keep the instances in separate accounts and still manage the Elastic IPs across both accounts. Links for reference: Creating an IAM role: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user.html Attaching a policy to an IAM role: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-attach-detach.html Assuming a role with AWS CLI: https://aws.amazon.com/premiumsupport/knowledge-center/iam-assume-role-cli/ Configuring the AWS CLI: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html Amazon EC2 Elastic IPs: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/elastic-ip-addresses-eip.html

Please let me know if I answered your question

AWS
ESPERTO
ZJon
con risposta un anno fa
  • Hi, I get this error An error occurred (InvalidInstanceID.NotFound) when calling the AssociateAddress operation: The instance ID i-123 does not exist, because it doesn't appear in my account (A) because i-123 belongs to the account (B)

0

To transfer an Elastic IP between accounts, please see https://docs.aws.amazon.com/vpc/latest/userguide/vpc-eips.html

Im not sure entirely you have the instances in the same VPC/Subnet?? Are you sharing https://docs.aws.amazon.com/vpc/latest/userguide/vpc-sharing.html

profile picture
ESPERTO
con risposta un anno fa

Accesso non effettuato. Accedi per postare una risposta.

Una buona risposta soddisfa chiaramente la domanda, fornisce un feedback costruttivo e incoraggia la crescita professionale del richiedente.

Linee guida per rispondere alle domande