Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 9 Next »

Cross-account access is a feature provided by Amazon Web Services (AWS) that allows users to securely access resources and services in another AWS account. With cross-account access, organizations can grant permissions to trusted entities or external partners without the need for sharing credentials or creating separate accounts.

By using cross-account access, organizations can maintain better control over their resources while still allowing authorized users from other accounts to interact with those resources. This enables collaboration and simplifies management of multiple AWS accounts within an organization.

To establish cross-account access, the owner of the target account must set up an IAM role with specific permissions and trust relationships with the source account. The source account then grants permission to its users or roles to assume this IAM role in the target account.

Once cross-account access is established, users from the source account can assume roles in the target account and perform actions based on their assigned permissions. This provides a secure way for different accounts to work together seamlessly within an AWS environment.

Cross-account access is commonly used in scenarios such as:

  • Sharing data between multiple AWS accounts.

  • Centralized billing management across different business units.

  • Enabling third-party auditors or consultants to assess security controls.

  • Providing temporary administrative privileges for troubleshooting purposes.

In conclusion, cross-account access in AWS offers a flexible and secure solution for managing resources across multiple accounts. By leveraging this feature, organizations can enhance collaboration while maintaining strong security practices within their cloud infrastructure.

Make sure you have the Infoblox Account ID and External ID before creating the AWS role.

Cross account access through the AWS console

Complete the following steps to configure cross account access through AWS console.

  1. Login to an AWS account.

  2. Go to IAM > Roles and click Create Role. Select trusted entity as Another AWS account and provide account ID of Infoblox account (this is present in the Cloud Services Portal as Principal ID). Provide External ID shared by Infoblox (this is present in the Cloud Services Portal as External ID). Using External ID is mandatory. Click Next.

  1. Configure the Provider Type as IPAM/DHCP and Permissions Required as ReadOnlyAccess. Attach the permission policy and click Next.

  1. Add the Role Name as infoblox_discovery.

You must add the Role Name as infoblox_discovery. Follow this step to avoid any configuration issues.

Trusted Entities Policy will shown as follows: 

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "sts:AssumeRole",
            "Principal": {
                "AWS": "902917483333"
            },
            "Condition": {
                "StringEquals": {
                    "sts:ExternalId": "3a3e47b7-c667-480f-83db-000000003114"
                }
            }
        }
    ]
}

  1. Click Create Role and the role would be created.

Specify the tags as per your organization’s rules on the role.

Cross account access through AWS CLI

Complete the following steps to configure cross account access through AWS CLI:

  1. Run the following command with role name shared by Infoblox and a policy like role.json.

aws iam create-role --role-name infoblox_discovery --assume-role-policy-document file://role.json

role.json
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "sts:AssumeRole",
            "Principal": {
                "AWS": "{Infoblox_Account_ID}
            },
            "Condition": {
                "StringEquals": {
                    "sts:ExternalId":"{External_ID shared by Infoblox}"
                }
            }
        }
    ]
}

After executing the above command, the role should be created successfully with the following output:

{
    "Role": {
        "Path": "/",
        "RoleName": "infoblox_discovery",
        "RoleId": "AROAZBLM3PWBADSPQEKAY",
        "Arn": "arn:aws:iam::{your_account_id}:role/infoblox_discovery",
        "CreateDate": "2023-05-25T14:30:25+00:00",
        "AssumeRolePolicyDocument": {
            "Version": "2012-10-17",
            "Statement": [
                {
                    "Effect": "Allow",
                    "Action": "sts:AssumeRole",
                    "Principal": {
                        "AWS": "Infoblox_Account_ID"
                    },
                    "Condition": {
                        "StringEquals": {
                            "sts:ExternalId": "{External_ID shared by Infoblox}"
                        }
                    }
                }
            ]
        }
    }
}

  1. Attach required permission (ReadOnlyAccess).

aws iam attach-role-policy --policy-arn arn:aws:iam::aws:policy/ReadOnlyAccess --role-name infoblox_discovery

The role-name is the same created above which is shared by Infoblox.

In this example, we have attached Default Policy of ReadOnlyAccess which would give Read Access over the entire account. However, you can choose to attach a custom Read Access which will give read access over some resources as required.

  • No labels