Can I do this?: Manage policy in one environment and attach that policy to roles in another environment

I am managing in an AWS multi-account environment. I would like to define policy in one of those accounts/environments. I would like to be able to attach those policies to roles defined in another account/environment.

I am struggling with how to create a policy that enables iam:AttachRolePolicy policy that can define the role resources that an sts:AssumeRole can then attach to a locally defined role.

Could someone kindly explain this or point me to the relevant resources to sort this out? I suspect this is partly an issue of not knowing quite what I am looking for to put together a proper search.

Thanks in advance.

Does this help? Allow cross-account users to access your resources through IAM | AWS re:Post

Thanks for the response.

I am successfully using sts:AssumeRole with accessing other shared resources across accounts. I do not believe there is an issue here with not having the credentials.

I believe the issue I am struggling with is a chicken and egg issue… ie That the managed policy defined in my identity management account cannot know what the resource arns are for the roles that are being created in another account. That other account is trying to attach the policy managed by the identity account to the local role that has created an EC2 instance for example, and wants to attach the managed policy.

My question remains, can this be done?

I am not sure if you can do that based on how STS works. IAM policies are tied to a specific account and I don’t think you can attach a policy from one account to a principal (users, roles) in another account. The most you can do is assuming a IAM role in another account, which you confirmed you can already do.

Your other option is to maybe look at attribute-based access control (ABAC). I believe it can also be configured in IAM Identity Center in an SSO scenario, which is desirable in a multi-account environment.

Thanks for the pointer to ABAC. I still don’t think this helps me accomplish my goal of centrally managing IAM policy and using that policy in other accounts. Could be that this is just not possible but I would think this would be a desirable goal for any organization that is using a multi-account environment.

Well, IAM Identity Center technically is for this purpose and it’s pretty standard. In the management account, you manage manage permission sets which you can then attach to accounts in the organizations for users and groups in the identity store (usually via a SAML 2.0 IDP).

It’s just that I’ve not seen a scenario, based on my limited experience, that would go as far as assigning permissions to specific individual resources. You’d usually assign permissions at a higher level (by service, resource type, etc.) or you can use ABAC and tags for a more generic approach.

Perhaps you can look more into IAM Identity Center and see if you can tune permission sets in such a way that fits your needs.

To be more specific about what I am trying to do…

I am deploying EC2 instances in production and development environments. Each in their own Organizational Unit managed in Identity Center. These aws_instance resources need an iam_instance_profile= assigned to the instance in order to manage access to things like S3 buckets that provide software that needs to be installed on those instances or Ansible state files that need to be applied to that instance role.

In another account, which manages identity related AWS resources, I’ve defined roles and policies and have attached those policies to the respective roles for the S3 resources mentioned above.

In the development or production accounts, I’ve tried to create an aws_iam_instance_profile using outputs from the identity account that manages these IAM policies and roles, but the role does not exist by name in the local account where I am deploying the EC2 instances and therefore fails.

resource "aws_iam_instance_profile" "nat_server_profile" {
  name = "nat-server-profile"
  role = data.terraform_remote_state.identity.outputs.aws_iam_role["nat_server_role_name"]
}

If I instead create the aws_iam_role locally in the development or production accounts, I am unable to attach the managed policies in the identity account to the locally defined role.

So I am trying to duplicate as little code as possible and manage these policies in a central place but I have yet to find the magic to allow me to do this. Seems this would be a very common requirement.

I am not confident that you can truly achieve this requirement because IAM is just not designed for this type of cross-account use. You’d probably need a process to help you automate the creation of these policies.

You could, for example, have a TF config that creates IAM policies and roles in workload accounts, which you apply to different environment by passing in different variables. Or you could have one multi-provider TF config that helps you create the resources across all accounts.

It really depends on your IaC design. As the discussion is now more about automation approach and not specifically the Terraform AWS Provider, I will leave things here unless someone else wants to chime in. Hope this helps a little.