5

So this is what i want to do - I have 3 different accounts - account A, account B and account C.

I start in a role in account A. This role is allowed to assume another role in account B. This role in account B is allowed access to describe s3 buckets in account C.

This is where my question comes in. Will i be able to describe the buckets in account C by first assuming a role in account B. Then using this credential, assume a role in account C to describe 3 buckets?

I was thinking of possibly using STS twice. Would this be viable ? i do realise this was possible with two accounts in another question. But would this be possible from three different accounts ?

something like the example in this question would work ? How to assume an AWS role from another AWS role?

My doubt comes to the place where would the account is being sent to account C be that of account A or account B?
Account C currently has the role to allow only account B to assume it. And account B has a role that only allow account A to access it.

C0d3ine
  • 379
  • 1
  • 3
  • 14
  • It would be easy enough to try this. Just ensure that each assuming role has permissions to assume the necessary assumed role (which has permission for the resources needed, like S3 buckets). – jarmod Jan 24 '19 at 21:39
  • What are you _actually_ trying to achieve? There might be a better way to do it. For example, a bucket in Account B can grant access to a user/role in Account A. You could configure things so that one set of credentials can access buckets in all three accounts. – John Rotenstein Jan 25 '19 at 01:39
  • I've added a bit to the end of the question to be more specific. – C0d3ine Jan 25 '19 at 10:59

2 Answers2

11

Yes. You can assume a role from an assumed role.

Account C would have a role that trusts account B. Account B would have a role that trusts account A.

Each role would also have to have permissions for sts:AssumeRole on the role that account is assuming.

Account A's role can sts:AssumeRole on Account B's role, and trusts EC2 or your IAM user or whatever.

Account B's role can sts:AssumeRole on Account C's role, and trusts Account A.

Account C's role can s3:ListBuckets and trusts Account B.

cementblocks
  • 4,326
  • 18
  • 24
  • My doubt comes to the place where would the account is being sent to account C be that of account A or account B? – C0d3ine Jan 25 '19 at 10:59
3

When you assume a role, you give up your current identity and permissions and assume a new identity and new permissions - not additional permissions.

If your goal is to have access to three buckets, then your assumed role needs access to those three buckets.

John Hanley
  • 74,467
  • 6
  • 95
  • 159
  • But can I achieve this with the role in account C having permission to allow sts with the iD of account B only ? – C0d3ine Jan 25 '19 at 10:58
  • I am not sure what you asked. You must grant permission to call assume role. You also have to setup the`Trust Relationship` for the role in account B that says account C can assume the role in account B. The role in Account C only needs assume role permission as a minimum. – John Hanley Jan 25 '19 at 20:22