AWS access to different 'member accounts' within our Organisation

GreenerSoftware / IntroPage

MIT License

0 stars 0 forks source link

AWS access to different 'member accounts' within our Organisation #4

Closed markhk67 closed 1 month ago

markhk67 commented 2 months ago

As an existing user in the kiehlmann AWS account I want to be able to switch role and access any of the other GreenerSoftware accounts, So that I can do so without the need for an additional IAM User credentials (like I set up with david.carboni)

https://personalmhk.atlassian.net/wiki/spaces/MK/pages/1362034690/Establish+remote+access+to+other+AWS+accounts+with+additional+IAM+User+credentials

https://www.youtube.com/watch?v=BfE2G-fsBNU

markhk67 commented 2 months ago

The AWS documentation to support this is below: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_access.html

NB By default the "Switch Role" OrganizationAccountAccessRole is only availabe for 1 hour...

NS_AlwaysOn_Acc: 637423416545 - success
OrganizationalAccountAccessRole: “OrgAccAccessRole_NS_AlwaysOn”
NS_TimeBound_Acc: 851725449784 - success
OrganizationalAccountAccessRole: “OrganizationAccountAccessRole”
NS_FullyResponsive_Acc: 471112586809 - success
OrganizationalAccountAccessRole: “OrganizationAccountAccessRole”

davidcarboni commented 2 months ago

To switch role in the cli, you can set up a profile.

StackOverflow answer: https://serverfault.com/a/933083/130018

Example:

[kiehlmann]
aws_access_key_id = AK.............
aws_secret_access_key = xxxxxxxxxxxxxxxxxxx
[alwayson]
role_arn = arn:aws:iam::637423416545:role/OrgAccAccessRole_NS_AlwaysOn 
source_profile = kiehlmann
[timebound]
role_arn = arn:aws:iam::851725449784:role/OrganizationAccountAccessRole
source_profile = kiehlmann
[fullyresponsive]
role_arn = arn:aws:iam::471112586809:role/OrganizationAccountAccessRole
source_profile = kiehlmann

You then set an AWS_PROFILE environment variable to switch between roles.

markhk67 commented 1 month ago

successful for David and Rory.