0

This is a little esoteric, but I need help folks!

So I have a corporate AWS account that holds my user permissions. The corporate account has a sub-account that is housing all Lab facilities (so think an AWS within an AWS). I've been given full access within the Lab, and I'm trying to configure my access key/secret keys and the various information within the lab.

I'm following this link: http://docs.aws.amazon.com/powershell/latest/userguide/pstools-getting-started.html

Which is to configure powershell toolkit for AWS. I'm performing all this work on a EC2 instance within my Lab account. However when all of the information appears correct, it would seem that I am still receiving access denied or other issues with credentials.

I've followed the set-credentials portion and verified that the default registered json file is being created with a storeas parameter. I suspect there is an issue because of the "Shared credential" that maybe required due to my account actually residing in the root corp account, but being passed by role to the sub-lab account. Has anybody found a way to do this? Or needs more info that i could possibly provide?

I'm pulling my hair out and I suspect it maybe just an access problem within the sub account role.

Here's what it sort of looks like in the workflow:

[CorpAccount]
  |--->Myname
  |--->LabFullAccessRole
  |-------->[LabAccount]
              |-----> EC2 Instance
                       |-------> Local Powershell config with CORPAccount Role

Would be much appreciated if anyone with a similar setup could guide me through? My own coworkers are only experienced with AWS CLI and it also is experiencing issues.

Falcones
  • 73
  • 5
  • AWS doesn't have sub-accounts. They have peered VPCs, and consolidated billing. Users in one account can be granted access to another account account. Suggest you work out your account and user structure then edit your post to clarify. I suspect most of what you've written above is largely irrelevant to the problem. – Tim Apr 10 '17 at 20:49
  • Apologies if I'm using the wrong verbiage. However AWS absolutely can do accounts that are subordinate to eachother. We have a root corporate account and another AWS account which is underneath the corporate account for billing. I was able to discover the issue. There is a role from the parent account "CorpAccount" which is created with MFA and Full rights to the "LabAccount". This role must be assumed by the Powershell before you can run powershell commands at the "LabAccount" level. If I run just a powershell cmdlet for AWS without assuming the role i get data from "CorpAccount". – Falcones Apr 15 '17 at 17:07
  • Further I believe this is what I'm trying to describe - http://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html – Falcones Apr 15 '17 at 17:11
  • 1
    Further I have been able to figure out that the powershell toolkit being updated provided me with new updates to the "Set-AWSCredentials" and "Initialize-AWSDefaults" which now has a "-SourceProfile" option. I can create my primary account with the Access Key/Secret key and then assume the role to provide me full access to the LabAccount. However I am now running into a problem where it is requesting my MFA token each time I run a command in Powershell. The AWS CLI seems to cache the MFA token during a session, however for powershell programmatic/automation I need to cache MFA cred. – Falcones Apr 15 '17 at 17:17
  • Cross account access is a peering concept, rather than sub-accounts. It's a bit tough to ask for help when you don't know the names of things or the concepts fully. Consolidated billing doesn't create sub accounts either, it's just another relationship. Suggest you need to edit your question to more precisely describe your situation and problem, now you know a bit more of the language. – Tim Apr 15 '17 at 19:41

0 Answers0