“Why don’t we just make the bucket public temporarily?” It’s the kind of shortcut that used to echo in conference rooms, but now resonates in team calls when deadlines loom and pressure mounts. Someone says it, and the meeting goes quiet for a moment—because deep down, everyone knows it’s a bad idea, but it feels like the fastest solution. And so, with a few clicks, a treasured jewel transforms into a shared legacy.
Cross-Account IAM Roles
Think of an AWS IAM role as a character in a play. The role comes with a specific script (permissions) that defines what the character can and cannot do. In a play, anyone can step into a character, put on the costume, and act out the part—but only for as long as they are on stage.
Similarly, an IAM role isn’t tied to a single person. Instead, it can be assumed by any entity – be it a person or an AWS service that needs to play that part. While in the role, the entity gets temporary credentials—like props on stage—to carry out specific actions. Once the curtain falls (or the session ends), the role is no longer active, and the temporary credentials vanish.
In AWS, this means you can grant temporary, controlled permissions to entities to perform tasks, without handing out permanent access keys or any form of credentials. It’s secure, flexible, and ensures everyone stays in character when accessing your resources.
When do we need cross-account IAM roles?
Cross-account IAM roles come handy when:
Teams in different AWS accounts need temporary access to shared resources (like S3 buckets).
You want to avoid the security risks of making resources public.
You want fine-grained control over permissions.
Instead of saying, “Lets just make it public, after all, its for few days..,” you can say, “Lets provision a cross-account IAM role and define only the permissions needed”. This way, your resources can share securely and delight in the joy of being protected while still being useful.
An attempt to simplify cross-account IAM role creation
Creating cross-account IAM roles often requires writing Infrastructure as Code (IaC) templates or AWS Lambda functions or navigating the AWS Management Console, which can be time-consuming. To streamline and accelerate the setup of IAM resources for cross-account access—both in the owner and requestor accounts—I developed a Python application with Streamlit to make the process more efficient and user-friendly.
Features of this application
Resource Discovery:
Automatically fetches AWS resource ARNs in the owner account.
Allows you to pick the specific resource you want to share.
Permission Selection:
Displays available IAM permissions for the selected resource.
Helps you choose only the permissions you need to grant.
Secure Role Creation:
Generates a cross-account IAM role in the owner account with the selected permissions.
Includes optional support for an External ID for additional security.
Requestor Account Setup:
Automates the creation of IAM policies and roles in the requestor account to assume the cross-account role securely.
How It Works
The application leverages Lambda Function URLs to perform key tasks:
Fetching resource ARNs and available permissions.
Creating IAM resources in both owner and requestor accounts.
Streamlit Interface
The interface guides users through these steps:
Select a Resource: Start by fetching and selecting the resource you want to share.
Define Permissions: Choose the permissions the requestor account should have.
Create the Role: Enter the requestor account ID and optional External ID to generate the role in the owner account.
Set Up the Requestor Account: Configure the requestor account to assume the cross-account role using service principals like s3.amazonaws.com or ec2.amazonaws.com.
Get Started
1. Simply download the streamlit app code from the github repository.
2. Set up the streamlit app in your python environment.
3. Download the lambda functions code and create all the lambda functions in the source AWS account except “FnCreateRequestorAccountIAMResources”, which needs to be created in the requestor account.
4. I created Lambda Function urls for the above lambda functions. These urls need to be updated in the streamlit app.
The code is designed to be straightforward and easy to understand, currently supporting S3, EC2, Lambda, and RDS resource types. It is also flexible, allowing you to customize and extend it to meet your specific requirements. I hope this serves as a good starting point and inspires you to enhance it further by adding more features.
Happy Coding
