There are two accounts: cfire(own the resources) and luchofire(external account)
Each account has a defined user with limited access definitions
The exercise is to access billing on cfire. Billing info can be accessed only by users with proper permissions
and this applies even to users defined in same account owning the resources, cfire in this case.
The following descriptions allows users to access billing information for:
a) user in cfire (Assign priviledge to internal user pool)
b) user in luchofire (User cross-account access)
For either case the operation is two-fold:
1) Root/elevated user assigns sts::assumeRole to specific limited-user indicating what resource which in this case is a specific ARN role
2) cfire account defines a role which has proper policy to access billing. For this exercise:
2.1) cfile limited-user assumes a role that permits billing RO access
2.2) luchofile limited-user assumes a role that permits billing RW access
Two additional steps to complete the flow so for both limited-user to access billing:
1) To do only once: Root account in cfire needs to enable access to Billing via IAM roles
2) Each limited-user needs to initiate switch-role flow in the AWS Console to define what account and what role to swtich to.
Next describes relevant users, roles and permissions per account.
====================================
Roles in 924300192870 alias cfire(MASTER)
USERS ROLES
cm-ui AdministratorAccess, assumeRoleBillingRO
NOTE: cm-ui can create roles but assumeRole can only be attached by root or user with proper IAM role management
ROLES Assigned to Account NOTE
cfire-ro-billing-role 924300192870 View only: RO
cfire-rw-billing-role 824370033741 Full access: RW
assumeRoleBillingRO
REFERENCE: [GOLD] https://aws.amazon.com/blogs/security/how-to-enable-cross-account-access-to-the-aws-management-console/
OVERVIEW
==================================== Roles in 924300192870 alias cfire(MASTER)
USERS ROLES cm-ui AdministratorAccess, assumeRoleBillingRO NOTE: cm-ui can create roles but assumeRole can only be attached by root or user with proper IAM role management
ROLES Assigned to Account NOTE cfire-ro-billing-role 924300192870 View only: RO cfire-rw-billing-role 824370033741 Full access: RW assumeRoleBillingRO
POLICIES BillingViewAccess Effect: allow, actions: [Custom RO] Resource: BillingFullAccess Effect: allow, actions: [Custom RW] Resource: assumeRoleBillingRO Effect: allow, actions: sts::AssumeRole Resource: "arn:aws:iam::924300192870:role/cfire-ro-billing-role"
Switch role info in dialog prompt Acc: 924300192870 Role name: cfire-ro-billing-role Cross-account session name: viewBilling
==================================== Account 824370033741 alias luchofire(SLAVE)
USERS ROLES cm-dev-main-ui assumeRoleBillingRW-cfire, AdministratorAccess, AmazonS3FullAccess, AmazonSESFullAccess, IAMReadOnlyAccess, AWSElementalMediaStoreFullAccess
ROLES None relevant
POLICIES assumeRoleBillingRW-cfire Effect: allow, actions: sts::AssumeRole Resource: "arn:aws:iam::924300192870:role/cfire-rw-billing-role"
Switch role info in dialog prompt Acc: 924300192870 Role name: cfire-rw-billing-role Cross-account session name: meBilling99