Hi,
I have two AWS accounts:
-
root -
111111111111
: Only IAM groups and users are kept -
stag -
222222222222
: No IAM groups or users, only other services such as S3, RDS, SQS etc.
Using the configurations below, this is what I do
In AWS UI I manually:
- Create an IAM trust policy
devops_stag_perms
(e.g. S3 full access) in stag account - Create an IAM role
devops
in stag account - Attach
devops_stag_perms
anddevops
together in stag account
Then I run $ terraform apply
to:
- Create an IAM group
devops
in root account - Create an IAM user
john
in root account - Make
john
part ofdevops
group in root account - Create an IAM policy
devops_assume_stag_role
in root account that assumesdevops
role in stag
So far john
can assume devops
role in stag account to list S3 buckets (of course after using john
’s credentials with role_arn
in AWS CLI config). However, please carry on reading …
AWS CLI
# .aws/config
[profile default]
region = eu-west-1
output = json
role_session_name = admin-in-root-account
# .aws/credentials
[default]
aws_access_key_id = ADMIN_IN_ROOT_ACCOUNT_KEY
aws_secret_access_key = ADMIN_IN_ROOT_ACCOUNT_SEC
main.tf
terraform {
required_version = "~> 1.2.6"
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 4.30.0"
}
}
}
provider "aws" {
profile = "default"
region = "eu-west-1"
}
policy.tf
resource "aws_iam_policy" "devops_assume_stag_role" {
name = "devops-assume-stag-role"
description = "Allows devops group to assume role in stag account."
policy = jsonencode({
"Version" : "2012-10-17",
"Statement" : [
{
"Effect" : "Allow",
"Action" : "sts:AssumeRole",
"Resource" : "arn:aws:iam::222222222222:role/devops"
}
]
})
}
resource "aws_iam_group_policy_attachment" "devops_group_stag_role_link" {
group = aws_iam_group.devops.name
policy_arn = aws_iam_policy.devops_assume_stag_role.arn
}
group.tf
resource "aws_iam_group" "devops" {
name = "devops"
}
resource "aws_iam_user" "john" {
name = "john"
force_destroy = true
}
resource "aws_iam_user_group_membership" "john" {
user = aws_iam_user.john.name
groups = [aws_iam_group.john.name]
}
This is what I need help with please
I need to get rid of the manual steps that I listed above and add them to Terraform configuration. If I do, the trust policy and role (the ones at the bottom) is created in root account, not in the stag account. Due to that, I then get error below when using the AWS CLI config below.
# .aws/config
[profile default]
region = eu-west-1
output = json
role_session_name = john
role_arn = arn:aws:iam::222222222222:role/devops
# .aws/credentials
[default]
aws_access_key_id = JOHN_KEY
aws_secret_access_key = JOHN_SEC
$ aws sts get-caller-identity
An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:iam::111111111111:user/john is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::222222222222:role/devops
I know I will have to add this to the config but as I said I definitely need some sort of refactorisation in the current configs above. Maybe some provider
and aws_caller_identity
like stuff but I am a beginner in Terraform so lost a bit.
resource "aws_iam_role" "devops" {
name = "devops"
description = "Trusts devops group assume role in stag account."
assume_role_policy = jsonencode({
"Version" : "2012-10-17",
"Statement" : [
{
"Effect" : "Allow",
"Action" : "sts:AssumeRole",
"Principal" : {
"AWS" : "arn:aws:iam::111111111111:root"
},
"Condition" : {}
}
]
})
}
resource "aws_iam_policy" "devops_stag_perms" {
name = "devops-stag-perms"
description = "Grants devops group permissions in stag account."
policy = jsonencode({
"Version" : "2012-10-17",
"Statement" : [
{
"Effect" : "Allow",
"Action" : "s3:*",
"Resource" : "arn:aws:s3:::*"
}
]
})
}
resource "aws_iam_role_policy_attachment" "devops_stag" {
role = aws_iam_role.devops.name
policy_arn = aws_iam_policy.devops_stag_perms.arn
}