By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Cross account assume role inside organization

0

Hi, I have an AWS organization with multiple account (root_account, account_1, account_2, ... account_n). What I'm trying to do is, starting from an user in root_account, be able to assume role in any of the others organization accounts (account_x). In every account_x I've created a role account_example_role with the following trust relationship:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::<root_account_id>:role/root_example_role"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

while in root_account I have the role root_example_role with the following plicy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "sts:AssumeRole"
            ],
            "Resource": [
                "arn:aws:iam::<account_1>:role/account_example_role",
                "arn:aws:iam::<account_2>:role/account_example_role",
                ...
                "arn:aws:iam::<account_x>:role/account_example_role"
            ]
        }
    ]
}

and this seems to work, but it's hard to maintain.

I was wondering if there is a way to specify an organization wide role arn inside the root_example_role policy, something like this:

"Resource": "arn:aws:organizations::<root_account_id>:organization/o-<org-ID>/role/account_example_role"

so that it's no longer needed to update the root_example_role policy for every new account in the organization.

Topics
Security, Identity, & ComplianceManagement & Governance
Tags
AWS Identity and Access ManagementAWS Account ManagementIAM Policies
Language
English
Gigitsu
asked a year ago1313 views
2 Answers
0

I wonder if a Global condition would work in this situation. Something like this:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "sts:AssumeRole"
            ],
            "Resource": [
                "arn:aws:iam::*:role/account_example_role"
            ].
            "Condition": { "StringEquals": { "aws:ResourceOrgID": "${aws:PrincipalOrgID}"  }  }
        }
    ]
}
profile pictureAWS
EXPERT
kentrad
answered a year ago
  • Gigitsu
    a year ago

    Thank you for your answer, but it doesn't seems to work :(

    I get this error:

    This policy does not grant any permissions. To grant access, policies must have an action that has an applicable resource or condition. For details, choose Show remaining Learn more

    And if I open the Show more menu I find this warning:

    aws:ResourceOrgID   One or more conditions do not have an applicable action.

    It seems that ResourceOrgId (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourceorgid) isn't available for every actions, but should work for sts actions.

  • Gigitsu
    a year ago

    This is the policy I tried:

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "sts:AssumeRole",
                "sts:TagSession"
            ],
            "Resource": "arn:aws:iam::*:role/account_example_role",
            "Condition": { "StringEquals": { "aws:ResourceOrgID": "${aws:PrincipalOrgID}"  }  }
        }
    ]
}
0

IAM roles are linked to a particular AWS account an not to the whole organization. So you still need to mention each account's role arn in the root_example_role policy

Chandra Y M
answered a year ago
  • Gigitsu
    a year ago

    Hi, thank you for you answer, but I don't fully get it. I know that roles are bound to an account and not to an organization, but so are other resources too and I am still capable to grant permissions to a particular resource in an organization using conditions (es. PrincipalOrgID).

    What's the difference with roles?

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content