88

I have two AWS account - lets say A and B.

In account B, I have a role defined that allow access to another role from account A. Lets call it Role-B

{
  "Version": "2012-10-17",
  "Statement": [
  {
     "Effect": "Allow",
     "Principal": {
         "AWS": "arn:aws:iam::********:role/RoleA"
     },
    "Action": "sts:AssumeRole"
  }]
}

In account A, I have defined a role that allows the root user to assume role. Lets call it Role-A

{
  "Version": "2012-10-17",
  "Statement": [
  {
     "Effect": "Allow",
     "Principal": {
         "AWS": "arn:aws:iam::********:root"
     },
    "Action": "sts:AssumeRole"
  }]
}

Role A has the following policy attached to it

 {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "sts:AssumeRole",
            "Resource": "arn:aws:iam::****:role/RoleB",
            "Effect": "Allow"
       }]
 }

As a user in account A, I assumed the Role-A. Now using this temporary credential, I want to assume the Role-B and access the resource owned by account B. I have the below code

client = boto3.client('sts')

firewall_role_object = client.assume_role(
    RoleArn=INTERMEDIARY_IAM_ROLE_ARN,
    RoleSessionName=str("default"),
    DurationSeconds=3600)

firewall_credentials = firewall_role_object['Credentials']

firewall_client = boto3.client(
    'sts',
    aws_access_key_id=firewall_credentials['AccessKeyId'],
    aws_secret_access_key=firewall_credentials['SecretAccessKey'],
    aws_session_token=firewall_credentials['SessionToken'], )

optimizely_role_object = firewall_client.assume_role(
    RoleArn=CUSTOMER_IAM_ROLE_ARN,
    RoleSessionName=str("default"),
    DurationSeconds=3600)

print(optimizely_role_object['Credentials'])

This code works for the set of roles I got from my client but is not working for the roles I defined between two of the AWS account I have access to.

Johan
  • 3,577
  • 1
  • 14
  • 28
Prashant
  • 3,823
  • 3
  • 25
  • 40
  • 2
    can anyone clarify how is A/B roles matched with INTERMEDIARY_IAM_ROLE_ARN and CUSTOMER_IAM_ROLE_ARN? Which is which? – user1655072 Jan 12 '21 at 17:31
  • I think he runs this code on a box that has Role A associated to it, then assumes Role B (INTERMEDIARY_IAM_ROLE_ARN) and then assumes Role C (CUSTOMER_IAM_ROLE_ARN) – GwenM Nov 23 '22 at 15:24

1 Answers1

75

Finally got this working. The above configuration is correct. There was a spelling mistake in the policy.

I will keep this question here for it may help someone who want to achieve double hop authentication using roles.

Prashant
  • 3,823
  • 3
  • 25
  • 40
  • 15
    This was really helpful, thank you. I presume you fixed the spelling mistake in the policy. :-) – pcurry Oct 26 '17 at 18:21
  • 2
    Thank you very much. After hours trying random solutions I found your answer :) – Fábio Paiva Jan 17 '21 at 15:42
  • 1
    thank you that really helped me, I got the problematic and was stuck with a MalformedPolicyDocument: Has prohibited field Resource error when I should've been using a Principal statement instead ! This helped :) – Alex Sep 07 '22 at 21:11