How can I troubleshoot and resolve the issue of “Cross account role”?

222    Asked by JordanDuncan in AWS , Asked on Apr 23, 2024

 I am currently working on a particular task that is related to setting up a cross-account role in AWS to allow an EC2 Instance in account A to access Resources in account B. However, when I was going with the setup, I encountered an error which was stating that “Cross account role is not allowed”. How can I troubleshoot and resolve this particular issue? 

Answered by Leonard Terry

In the context of AWS, here is how you can troubleshoot and resolve the issue:-

Checking the IAM trust relationship

You should check the IAM role trust relationship in account B. Try to ensure that it allows account A to assume the role.

Verify the permission policies

You should ensure that the IAM policies are attached to the role in account B so that you can grant the necessary permission for the EC2 Instance from account A to access the required resources.

IAM role ARN

You should double-check that you are using the appropriate IAM role ARN during the time of configuring the cross-account role in account A.

Verify the permission

You should make sure that the IAM users or roles that are attempting to assume the cross-account role in account A should have the appropriate permissions to assume the role.

Here is the example coding given of how you can create an IAM role in account B which would allow access to specific resources:-

Import com.amazonaws.auth.AWSStaticCredentialsProvider;
Import com.amazonaws.auth.BasicAWSCredentials;
Import com.amazonaws.regions.Regions;
Import com.amazonaws.services.identitymanagement.AmazonIdentityManagement;
Import com.amazonaws.services.identitymanagement.AmazonIdentityManagementClientBuilder;
Import com.amazonaws.services.identitymanagement.model.CreateRoleRequest;
Import com.amazonaws.services.identitymanagement.model.CreateRoleResult;
Import com.amazonaws.services.identitymanagement.model.PutRolePolicyRequest;
Public class CrossAccountRoleSetup {
    Public static void main(String[] args) {
        String accountBAccessKey = “YOUR_ACCOUNT_B_ACCESS_KEY”;
        String accountBSecretKey = “YOUR_ACCOUNT_B_SECRET_KEY”;
        String accountBRoleName = “CrossAccountRole”;
        String trustPolicy = “{”Version”:”2012-10-17”,”Statement”:[{”Effect”:”Allow”,”Principal”:{”AWS”:”arn:aws:iam::AccountA_ID:root”},”Action”:”sts:AssumeRole”}]}”;
        BasicAWSCredentials credentials = new BasicAWSCredentials(accountBAccessKey, accountBSecretKey);
        AmazonIdentityManagement iamClient = AmazonIdentityManagementClientBuilder.standard()
                .withCredentials(new AWSStaticCredentialsProvider(credentials))
                .withRegion(Regions.US_EAST_1)
                .build();
        CreateRoleRequest createRoleRequest = new CreateRoleRequest()
                .withRoleName(accountBRoleName)
                .withAssumeRolePolicyDocument(trustPolicy);
        CreateRoleResult createRoleResult = iamClient.createRole(createRoleRequest);
        // Attach policies to the role
        String policyName = “CrossAccountAccessPolicy”;
        String policyDocument = “{”Version”:”2012-10-17”,”Statement”:[{”Effect”:”Allow”,”Action”:”s3:GetObject”,”Resource”:”arn:aws:s3:::bucket-name/*”}]}”;
        PutRolePolicyRequest putRolePolicyRequest = new PutRolePolicyRequest()
                .withRoleName(accountBRoleName)
                .withPolicyName(policyName)
                .withPolicyDocument(policyDocument);
        iamClient.putRolePolicy(putRolePolicyRequest);
        System.out.println(“Cross-account role created and policies attached successfully.”);
    }
}
Here is the same example given in python programming language:-
Import boto3
From botocore.exceptions import ClientError
# Create IAM client
Iam_client = boto3.client(‘iam’)
# Define variables
Account_b_access_key = ‘YOUR_ACCOUNT_B_ACCESS_KEY’
Account_b_secret_key = ‘YOUR_ACCOUNT_B_SECRET_KEY’
Account_b_role_name = ‘CrossAccountRole’
Account_a_id = ‘YOUR_ACCOUNT_A_ID’ # AWS Account ID of Account A
Bucket_name = ‘your-bucket-name’
# Create trust policy document
Trust_policy = {
    ‘Version’: ‘2012-10-17’,
    ‘Statement’: [
        {
            ‘Effect’: ‘Allow’,
            ‘Principal’: {
                ‘AWS’: f’arn:aws:iam::{account_a_id}:root’
            },
            ‘Action’: ‘sts:AssumeRole’
        }
    ]
}
# Create IAM role in Account B
Try:
    Create_role_response = iam_client.create_role(
        RoleName=account_b_role_name,
        AssumeRolePolicyDocument=json.dumps(trust_policy)
    )
    # Attach policy to the role
    Policy_name = ‘CrossAccountAccessPolicy’
    Policy_document = {
        ‘Version’: ‘2012-10-17’,
        ‘Statement’: [
            {
                ‘Effect’: ‘Allow’,
                ‘Action’: ‘s3:GetObject’,
                ‘Resource’: f’arn:aws:s3:::{bucket_name}/*’
            }
        ]
    }
    Iam_client.put_role_policy(
        RoleName=account_b_role_name,
        PolicyName=policy_name,
        PolicyDocument=json.dumps(policy_document)
    )
    Print(“Cross-account role created and policies attached successfully.”)
Except ClientError as e:
    Print(f”Error creating cross-account role: {e}”)

Your Answer

Interviews

Parent Categories