What we want to achieve is giving IAM users that are member of a group in AWS Account B access to a folder in an S3 bucket in Account A using a cross-domain IAM role. The folder to which the IAM user in Account B needs access to is a folder with the same name than the IAM user in account B. Exceptions need to be made possible. Both from Account A and from Account B. Not necessarily both at the same time since the setup will be different, I do realize that.
We have account B which has IAM users as part of a group that has an IAM policy that gives them the right to assume a role defined in Account A. The role in account A has account B as a trusted entity.
What is already setup and working?
- I have a IAM policy in account A with a role defined that is linked to a trusted identity (=Account B).
- I have a test.user1 in accountB that has the correct assume role rights for the role in account A that can access the bucket.
- Accessing this bucket works in the console using the option 'switch role'. But the access is too wide at this moment.
I will provide some article with selected person through Toogit chat.
What still needs to be done? What are the deliverables for this job?
- Make it work in the aws cli using the assume role option. I didn't manage to get that working yet.
- Fine tune the IAM policy to make sure the users in account B can only write new objects, nothing else.
- Make sure username test.user1 can only write in folder test.user1 using an IAM variable 'aws:username'.
- Figure out how to create extra policies in Account A to make sure users in Account B can have access to additional folders and test it
- Figure out how to create extra policies in Account B to make sure users in Account B can have access to additional folders and test it
Important remark: I need someone who has done this before and really understands this thoroughly or someone that has the time and has 2 AWS accounts to set it up in test.
About the recuiterMember since May 20, 2018 Iain R.
from Scotland, United Kingdom