I'm trying to set up a cross-account role access where an EC2 instance in Account A needs to assume a role in Account B. So, I understand I need to do two things: first, grant permission in Account A's role to allow it to assume the role in Account B via the Permissions policy. Then, I need to define a trust policy for the role in Account B that specifies which role or entity in Account A can assume it. I'm confused about what that trust policy should look like. Is allowing the root of Account A a good option, or should I restrict it to just the specific EC2 instance role? What's the best practice here?
3 Answers
Hey! For your situation, the trust policy to allow Account A's role to assume the role in Account B should look something like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "allowRoleAssumptionFromAccountA",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::ACCOUNTANUMBER:role/RoleName"
},
"Action": "sts:AssumeRole"
}
]
}
This specifies the role rather than just the root, which is a safer option.
Just to clarify, you should go with the ARN of the actual role. The trust policy is about roles, not sessions. If you want to avoid using root, definitely use the role ARN format, like this: "arn:aws:iam::ACCOUNTANUMBER:role/RoleName". It helps maintain better access control!
I'd recommend sticking with your initial approach. It’s generally clearer to specify the role directly instead of using the root. Plus, if you want to limit permissions to just that specific EC2 instance, that’s the proper route!
Thanks for confirming! I wanted to make sure I was understanding the concepts correctly.