2

There are two companies: Client and Contractor. Both have AWS accounts. I'm looking for simple but secure way to get staff from contractor team access to client's AWS console. Yep, I'm on the Contractor's side.

The ways I can remember so far:

  • create a user in Client's account and provide login/password. As far as I know it is not recommended. Also, it can be a headache for Contractor who has many clients to manage all credentials and quite uncomfortable to switch between accounts during the working day (the main reason).
  • federation. Possible pitfall: client needs to add the federation provider, if the provider is Contractor's AD then for me it does not look better than just create account. Using 3rd (4th?) party identity provider (google) does not look good for me because my paranoia protest against exposing Contractor's credentials for internal-only use to public BigBrother-like service. Perhaps I'm wrong or something missing here, will be glad to hear your well-founded opinion.
  • use cross-account access (recommended).

The third one looks like the most correct but the problem is: so far I cannot find a ready way to do so. My findings: How to Use an External ID [...] , Providing Access to AWS Accounts [...] and How to Enable Cross-Account Access to the Console. Neither of them is ready-use and rather gives you idea where to move on. Also I know Rackspace has their own solution for this purpose but was unable to find the code.

So I'll repeat: I'm looking for simple but secure way to get staff from contractor team access to client's AWS console. I will be glad to save some efforts and not to re-invent a bicycle. Do you know/have such solution?

Putnik
  • 2,217
  • 4
  • 27
  • 43
  • At some point, you need to define the list of permissions to grant the IAM role you'ld be using setting up cross-account accesses. The quickest and dirty way to go being: allowing full administrative accesses. Although I wouldn't consider this to be an answer to my problem, ... Note that even creating a login/password on your customers portal, identifying such permissions is still the first thing to do. My point being: what are you trying to do? – SYN Feb 26 '17 at 21:21
  • @SYN It's not a problem to define the list of permissions. I'm looking for simple but secure way to get staff from contractor team access to client's AWS console. – Putnik Feb 27 '17 at 07:33
  • Then your third link pretty much covers it, Your customer has to proceed with task #1. AWS docs are more exhaustive than that blog post though: http://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html . I don't think there's a "simple" way to go about it, ... Then again, that's not over-complicated either, ... – SYN Feb 27 '17 at 10:21
  • @SYN the mentioned doc is good but I don't understand how to use ExternalID there. The example is about two accounts of the same owner, unfortunately. – Putnik Feb 27 '17 at 18:38

1 Answers1

0

To provide cross account access you need a role in the client account, lets call it "contractor". Create this role in the client account with the permissions required and in the AssumeRolePolicyDocument add:

{ "Statement": { "Action": "sts:AssumeRole", "Effect": "Allow" "Principal": { "AWS": [ arn:aws:iam::12345678910:user/contractor.user ] } } }

where 12345678910 is the account ID of the contractor account.

Then when you login to the contractor role you can select "Switch role" in the top right, type in the account name or ID for the client account and type in the role name "contractor" and boom.

Robo
  • 171
  • 3
  • Sorry, don't understand the last part. If I'm logged in to 12345678910 already, then I have to type the same accID and the role name I've just created in the same account? – Putnik Mar 02 '17 at 17:57
  • The role is created in the client account. So you provide the client account id – Robo Mar 02 '17 at 19:27
  • Of course client's, but if I'm already logged in - what is the sense? – Putnik Mar 02 '17 at 22:21
  • You login to the contractor account then switch to a role in the client account – Robo Mar 02 '17 at 22:32