Greetings,
AWS account the necessary permissions to manage Elastic IPs in your account. You'll need to create a cross-account role in your account and have your friend assume that role in their account to execute the necessary AWS CLI commands.
Here's a step-by-step guide to achieve this:
In your AWS account, create an IAM role with the following trust policy. Replace 123456789012 with your friend's AWS account ID:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:root"
},
"Action": "sts:AssumeRole"
}
]
}
Attach a policy to the role you created in step 1 with the necessary permissions to manage Elastic IPs. You can create a custom policy like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:AssociateAddress",
"ec2:DisassociateAddress"
],
"Resource": "*"
}
]
}
Note the ARN of the role you created in step 1. It will look like this: arn:aws:iam::your_account_id:role/RoleName
In your friend's AWS account, they should configure a CLI profile with their account credentials. They can do this by running aws configure --profile friend-profile, and then entering their access key, secret key, and default region.
Your friend can then assume the role you created in your account by running the following command:
aws sts assume-role --role-arn arn:aws:iam::your_account_id:role/RoleName --role-session-name FriendSession --profile friend-profile
This command will return temporary credentials (AccessKeyId, SecretAccessKey, and SessionToken) that they need to use when running AWS CLI commands with the assumed role.
They can now use the temporary credentials to disassociate and associate the Elastic IP in your account using the AWS CLI. They should set the following environment variables:
export AWS_ACCESS_KEY_ID=AssumedRoleAccessKeyId
export AWS_SECRET_ACCESS_KEY=AssumedRoleSecretAccessKey
export AWS_SESSION_TOKEN=AssumedRoleSessionToken
Replace AssumedRoleAccessKeyId, AssumedRoleSecretAccessKey, and AssumedRoleSessionToken with the actual values from step 5.
Finally, your friend can run the disassociate and associate commands using the temporary credentials:
aws ec2 disassociate-address --public-ip 00.00.000.00
aws ec2 associate-address --public-ip 00.00.000.00 --instance-id i-00000000
This way, you can keep the instances in separate accounts and still manage the Elastic IPs across both accounts. Links for reference: Creating an IAM role: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user.html Attaching a policy to an IAM role: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-attach-detach.html Assuming a role with AWS CLI: https://aws.amazon.com/premiumsupport/knowledge-center/iam-assume-role-cli/ Configuring the AWS CLI: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html Amazon EC2 Elastic IPs: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/elastic-ip-addresses-eip.html
Please let me know if I answered your question
To transfer an Elastic IP between accounts, please see https://docs.aws.amazon.com/vpc/latest/userguide/vpc-eips.html
Im not sure entirely you have the instances in the same VPC/Subnet?? Are you sharing https://docs.aws.amazon.com/vpc/latest/userguide/vpc-sharing.html
Relevant content
- Accepted Answerasked a year ago
- asked 7 months ago
AWS OFFICIALUpdated 3 years ago- AWS OFFICIALUpdated 8 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
Hi, I get this error An error occurred (InvalidInstanceID.NotFound) when calling the AssociateAddress operation: The instance ID i-123 does not exist, because it doesn't appear in my account (A) because i-123 belongs to the account (B)