Issue
I've created a cross account IAM role in one of my accounts(say account A) and would like to attach that role to an ec2 instance in another account(account B).
I tried creating a new role in account B with sts:AssumeRole pointing to the role in A and attached it to an ec2 instance in B. Doesn't seem to be working.
How can the ec2 instance assume the cross account role in A?
Solution
You cannot attach a cross-account IAM role to an EC2 instance directly. And having the sts:AssumeRole
permissions does not automatically make the one role assume into the other.
Instead:
- Create your cross-account role in Account A.
- Create an IAM role for EC2 instances in Account B. Give this role permissions to execute
sts:AssumeRole
. - Assign the IAM role from #2 to your EC2 instance.
Then, when you want to access the AWS API from your EC2 instance:
- Execute
sts:AssumeRole
to assume the cross-account role for Account A, to obtain temporary credentials. - Use those temporary credentials to execute the rest of your API methods.
Answered By - Matt Houser