How can I troubleshoot and resolve the issue of “Cross account role”?

24 Asked by JordanDuncan in AWS , Asked on Apr 23, 2024

I am currently working on a particular task that is related to setting up a cross-account role in AWS to allow an EC2 Instance in account A to access Resources in account B. However, when I was going with the setup, I encountered an error which was stating that “Cross account role is not allowed”. How can I troubleshoot and resolve this particular issue?

Answered by Leonard Terry

In the context of AWS, here is how you can troubleshoot and resolve the issue:-

Checking the IAM trust relationship

You should check the IAM role trust relationship in account B. Try to ensure that it allows account A to assume the role.

Verify the permission policies

You should ensure that the IAM policies are attached to the role in account B so that you can grant the necessary permission for the EC2 Instance from account A to access the required resources.

IAM role ARN

You should double-check that you are using the appropriate IAM role ARN during the time of configuring the cross-account role in account A.

Verify the permission

You should make sure that the IAM users or roles that are attempting to assume the cross-account role in account A should have the appropriate permissions to assume the role.

Here is the example coding given of how you can create an IAM role in account B which would allow access to specific resources:-

Import com.amazonaws.auth.AWSStaticCredentialsProvider;

Import com.amazonaws.auth.BasicAWSCredentials;

Import com.amazonaws.regions.Regions;

Import com.amazonaws.services.identitymanagement.AmazonIdentityManagement;

Import com.amazonaws.services.identitymanagement.AmazonIdentityManagementClientBuilder;

Import com.amazonaws.services.identitymanagement.model.CreateRoleRequest;

Import com.amazonaws.services.identitymanagement.model.CreateRoleResult;

Import com.amazonaws.services.identitymanagement.model.PutRolePolicyRequest;

Public class CrossAccountRoleSetup {

    Public static void main(String[] args) {

        String accountBAccessKey = “YOUR_ACCOUNT_B_ACCESS_KEY”;

        String accountBSecretKey = “YOUR_ACCOUNT_B_SECRET_KEY”;

        String accountBRoleName = “CrossAccountRole”;

        String trustPolicy = “{”Version”:”2012-10-17”,”Statement”:[{”Effect”:”Allow”,”Principal”:{”AWS”:”arn:aws:iam::AccountA_ID:root”},”Action”:”sts:AssumeRole”}]}”;

        BasicAWSCredentials credentials = new BasicAWSCredentials(accountBAccessKey, accountBSecretKey);

        AmazonIdentityManagement iamClient = AmazonIdentityManagementClientBuilder.standard()

                .withCredentials(new AWSStaticCredentialsProvider(credentials))

                .withRegion(Regions.US_EAST_1)

                .build();

        CreateRoleRequest createRoleRequest = new CreateRoleRequest()

                .withRoleName(accountBRoleName)

                .withAssumeRolePolicyDocument(trustPolicy);

        CreateRoleResult createRoleResult = iamClient.createRole(createRoleRequest);

        // Attach policies to the role

        String policyName = “CrossAccountAccessPolicy”;

        String policyDocument = “{”Version”:”2012-10-17”,”Statement”:[{”Effect”:”Allow”,”Action”:”s3:GetObject”,”Resource”:”arn:aws:s3:::bucket-name/*”}]}”;

        PutRolePolicyRequest putRolePolicyRequest = new PutRolePolicyRequest()

                .withRoleName(accountBRoleName)

                .withPolicyName(policyName)

                .withPolicyDocument(policyDocument);

        iamClient.putRolePolicy(putRolePolicyRequest);

        System.out.println(“Cross-account role created and policies attached successfully.”);

    }

}

Here is the same example given in python programming language:-

Import boto3

From botocore.exceptions import ClientError

# Create IAM client

Iam_client = boto3.client(‘iam’)

# Define variables

Account_b_access_key = ‘YOUR_ACCOUNT_B_ACCESS_KEY’

Account_b_secret_key = ‘YOUR_ACCOUNT_B_SECRET_KEY’

Account_b_role_name = ‘CrossAccountRole’

Account_a_id = ‘YOUR_ACCOUNT_A_ID’  # AWS Account ID of Account A

Bucket_name = ‘your-bucket-name’

# Create trust policy document

Trust_policy = {

    ‘Version’: ‘2012-10-17’,

    ‘Statement’: [

        {

            ‘Effect’: ‘Allow’,

            ‘Principal’: {

                ‘AWS’: f’arn:aws:iam::{account_a_id}:root’

            },

            ‘Action’: ‘sts:AssumeRole’

        }

    ]

}

# Create IAM role in Account B

Try:

    Create_role_response = iam_client.create_role(

        RoleName=account_b_role_name,

        AssumeRolePolicyDocument=json.dumps(trust_policy)

    )

    # Attach policy to the role

    Policy_name = ‘CrossAccountAccessPolicy’

    Policy_document = {

        ‘Version’: ‘2012-10-17’,

        ‘Statement’: [

            {

                ‘Effect’: ‘Allow’,

                ‘Action’: ‘s3:GetObject’,

                ‘Resource’: f’arn:aws:s3:::{bucket_name}/*’

            }

        ]

    }

    Iam_client.put_role_policy(

        RoleName=account_b_role_name,

        PolicyName=policy_name,

        PolicyDocument=json.dumps(policy_document)

    )

    Print(“Cross-account role created and policies attached successfully.”)

Except ClientError as e:

    Print(f”Error creating cross-account role: {e}”)

How can I troubleshoot and resolve the issue of “Cross account role”?

Your Answer