Can an RDS Instance Assume a role from another account?

Question

I am trying to load S3 data from Account A Bucket into an RDS instance in account B. I cannot use Resource policy. It needs to be done only using IAM roles.

I have a Role Created in Account A and it has access to the S3 Bucket. I have a Role Create in Account B which allows Assume Role from Account A.

How do I use these to load Data from Account A to Account B?

What if you give the role in account B permission to access the bucket, in both a policy attached to the role, and in the bucket policy? Wouldn't that work? — Michael - sqlbot, Sep 25 '19 at 02:45

score 0 · Answer 1 · answered Sep 24 '19 at 10:51

You will need to write a custom loader because you need to assume 2 roles at the same time.

One way would be to create 2 programs that pipe the data.

$ read_bucket | write_rds

The read_bucket script would assume the Account A role and read the contents from the bucket. It would then print the data to stdout.

The write_rds script would assume the Account B role and read the contents from stdin and then write to RDS.

You can do this all inside on program because when you assume a role you get back a set of temporary credentials that you include with each API request. Here is another answer specifically on temporary credentials.

Can an RDS Instance Assume a role from another account?

1 Answers1