How can I chain AWS IAM AssumeRole API calls?
There are a number of AWS accounts which I don't control. I've had the account owners deploy an IAM Role, TrustingSecurityAuditor
, into their accounts which grants the right to assume the TrustingSecurityAuditor
role to a different IAM role in my AWS account, TrustedSecurityAuditor
. (Docs on delegating access)
This works great and allows me and my security team to provide security auditing services to these other account holders in the company. To do this we spin up an ec2 instance with the TrustedSecurityAuditor
IAM role and our code requests temporary credentials from each of the accounts using STS by doing an AssumeRole
to each account's TrustingSecurityAuditor
role.
Now I want to create an additional service running on a different ec2 instance in my account which can not only assume the role of these "Trusting" accounts, but also do other things in my account, like access my account's DynamoDB to store information.
If I apply the TrustedSecurityAuditor
role to the instance I don't have the local permissions I need (like DynamoDB access).
I can't apply multiple IAM roles to an instance (unless I'm mistaken).
When I attempt to create a new role, MyNewService
, with DynamoDB access that can AssumeRole
to the TrustedSecurityAuditor
role in hopes of then using those STS credentials to do a second AssumeRole
to the TrustingSecurityAuditor
role in the foreign account I encounter this problem :
I'm able to AssumeRole
from the MyNewService
role to the TrustedSecurityAuditor
role, but when I do the second AssumeRole
to the TrustingSecurityAuditor
role AWS returns the error
User: arn:aws:sts::123456789012:assumed-role/TrustedSecurityAuditor/MyNewService is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::123456789012:role/TrustingSecurityAuditor
The reason for this is that the "user" attempting the AssumeRole
is
arn:aws:sts::123456789012:assumed-role/TrustedSecurityAuditor/MyNewService
not
arn:aws:sts::123456789012:assumed-role/TrustedSecurityAuditor
What this implies is that you can not chain your AssumeRole
s because the ARN that a call originates from, when it comes from an assumed role is not the assumed role alone, but the assumed role with the assumer's rolename stuck on the end.
One solution which I'm reluctant to use is that I could just add the permissions I need, for example the ability to use DynamoDB to the TrustedSecurityAuditor
role. The reason I'm reluctant is that I only need this permission on the MyNewService
instance, not on my original instance which only does security auditing and has no need to access DynamoDB.
Any suggestions how to accomplish what I'm looking for?
Scenario:
- AccountA - your account
- AccountB - customer account
- RoleA - Your account role to access DynamoDB, call STS, etc.
- RoleB - TrustedSecurityAuditor role in AccountB
You will need to manage two sets of credentials. Credentials A which are created from the IAM role assigned to the EC2 instance. Use these credentials to access your resources such as DynamoDB. Credentials B which are created via STS from RoleB. Use these credentials to access your customers resources.
You will then need to independently use the credentials based upon what you want to do. For example if you are using Python you would create two boto3 clients with different credentials.