How to execute aws ec2 describe-instances for different account
Assuming we have two AWS acounts: Account-A, Account-B and an ec2 instance running on AccountA.
aws ec2 describe-instances works as expected for the instance's own account without an ~/.aws/credentials file with an instance role.
My goal is to run aws ec2 describe-instances for Account-B from this instance.
The following command works and outputs credentials:
$ aws sts assume-role --role-arn arn:aws:iam::012345678901:role/accountb-role --role-session-name test
However, this does not:
$ aws ec2 describe-instances --profile AccountB
'aws_access_key_id'
~/.aws/config
[default]
region = us-east-1
[profile AccountB]
role_arn = arn:aws:iam::012345678901:role/accountb-role
source_profile = default
As I mentioned, ~/.aws/credentials does not exist as the instance uses an instance role for IAM.
accountb-role Trust Relationship Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": "sts:AssumeRole"
},
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::012345678900:role/accounta-role"
},
"Action": "sts:AssumeRole"
}
]
}
instance inline policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1490625590000",
"Effect": "Allow",
"Action": [
"sts:AssumeRole"
],
"Resource": [
"arn:aws:iam::012345678901:role/accountb-role"
]
}
]
}
Both the accounta-role instance role and accountb-role also have the stock ReadOnlyAccess IAM policy attached.
Solution 1:
If anyone is still interested in the answer, you have to save the aws credentials to be able to use AccountB between these calls:
aws sts assume-role --role-arn arn:aws:iam::012345678901:role/accountb-role --role-session-name test
<< save aws_access_key_id, aws_secret_access_key, AWS_SESSION_TOKEN here>>
You then call
aws configure --profile AccountB
to make sure you have them set up. also, can AWS_SESSION_TOKEN expire after some time
aws ec2 describe-instances --profile AccountB
This article explains in detail