Lab 3: AWS IAM Assume Role example | aws cross account assume role

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hello everyone today I will discuss about the assume roll example so basically it has a two types right single AWS account assume rooll and two AWS account assume Ro right like I'm having a user in a one AWS account and uh I want to assume B account uh role right so I have already created you know first video how to create I'm user role and all these things this is already created right and this is the second one right okay so I will I will uh show you complete practical how to do that right so let's start so this is the situation right this is a 1 AWS account assume rule example I have a I am user I I need to add assume rule permission with IM am user generate assume Ro credential set the creds and xess the same account buckets right this IM am user doesn't have S three permissions right this role I want to assume this role I am Ro modifi the trust relationship I will show you complete practical and had the this rule had the S3 permissions right okay so I just want to give this you know brief just need to go through Okay just set your mind and accordingly we will go right so so I'll do that right next okay so go to this right what we want like assume Ro so this is the I have already created ay roll user and I have created a role user how to create and all these things in one video prior so you can go through it my Chanel so I have created a aume r user and this is having like uh second B so like a my two account right let me remove first I'll show you add permissions so I have already created this role policy right this is the my managed policy this is the same account right okay and I'll show you what is inside that right so this policy had the permissions what permission this policy had effect allow STS assume role action is assume role or to whom we can assume right terraform Ro okay this is in the same account okay go to this right and go to this right so coming this right inside the role section this is the terraform role we have created and what modification this is the managed policy as three full X2 and all right if you want uh as per your you know you can add might might be custom and I have used AWS managed okay so what exactly I want to assume this role through this user right through this aume Ro user okay so let me show you what need to be done in the trust relationship if you want to assume any role okay so you just make sure your mind make it very clear this is this is very clear this should be you know you know very clear in your mind mind right we have to use this right here I have given any user can assume this role who have the access just like this right STS and arn of the role right any user can assume but this is not a good practice so basically what we can do we just need to do this Arn only right this user only can assume this role okay okay let me let me addit trust relationship in basically I have added this right I just want to highlight this right I have added this right myself right so this is this is this user only can assume this role okay okay update policy in front of you we have created a role okay and added the trust relationship assign the permission as per your right requirement I will show you S3 bucket example and let me show you in the same account how many bucket we do have right uh so this much of the bucket we do have right okay so our part you know one part is done right to whom like which role do you want I would like to highlight one more interview questions okay we are not able to assume a role right so what is the root cause right so we just simply set this trust relationship it could not be set up properly and who is going to assume like I am user doesn't have proper permit misss this is the one answer right second answer what we need to do what need to add in the trust relationship so just need to inside the principal and action should be like STS assume rule in both who is going to assume or uh like who is going to assume I am user is going to assume and to whom both are having STS assume role okay in the trust relationship okay this is the common right uh trust relationship inside the role but in the users section we should have right uh policy okay not because in the user there is no trust relationship right okay hope you got my point right okay second interview question is maximum session duration this is the maximum we cannot assume this role more than 1 hour right by default is 15 minute using the command line but this is the second uh question right uh people will ask right okay so let's go I think we we are good right uh what we have uh like explained I am user permission assume role I have I showed you with IM am user this these two points is added you know pending IM am roll modify trust user with I am user and head the S3 policies so I think this one is done and two options is pending okay so let me tell you right how Okay so uh next thing right uh if you want to assume this role so you should have the access key and secret key okay if you want to assume any specific you know uh like I'm just going to do so it is a security credentials hope you got it I'm I'm telling you once more right this because this is a single AWS account resource this to whom you want to assume so user should have this policy permissions role should have the trust relationship okay role should have the trust relationship not permission permission it has this okay hope this is clear now okay and this is the I have added this manually right okay so let me go to the console right so before going to the console we just if you are going to access any user now so you should have either uh a test and uh need to create right but we do have a policies right here so this is the policy access key and secret key sorry not policy access key and secret key so I have already downloaded let me check if this is like uh the same level right uh okay FY right it is the same so I need to configure this right I need to configure here AWS hyphen hyph version AWS CLI installed and it is it should be latest next question we are not able to assume the role so you can check AWS CLI versions okay some times it is not communicate with STS Endo okay so due to this it is not able to assume so this is the third one right okay AWS configure list I have created a deep dive video for AWS CLI so you can go through okay AWS config this is the command to configure CLI right sorry contrl C access key contrl c iphon one and go to this right AWS configure list right so it will come if you are going to add any uh access key secret key though this is the uh I have highlighted okay so you can assume this is created by by the access key secret key if it is I am R so here it is showing I am hyphen rule I will show you right okay so now this access key and secret key and I told you this thing right this I am user doesn't have any this I am rule assume rule user I am user doesn't have any permissions right s3x is nothing okay so he cannot do AWS S3 LS output okay so how to do that I have already set up these things right so this is the single account so this is the command AWS STS assume rule Ro Arn this is the RO Arn terraform RN this is a rule session name session name must otherwise it will not execute okay let me do so what would be the output will come let me show you and how to use okay this will give give you access key and secret key access key ID and secret key ID okay I'm just uh hold for a moment let me copy okay I'll show you I have copied access key ID do not uh this uh uh you just need to copy this only right not this you know double quotes right no we do not need okay this one this one and this one it is needed all three values values only right let me show you I have copied here XS key D5 D5 6 yr 6 yr 6 yr and token token is GFA equal to token GFA dou equal to okay I did not copy this double Cotes okay okay make sure this is the mistake otherwise we will not able to do that okay just need to copy and save it your console right I will show you initially we have this right shed XS ke secret key okay and I will show you the difference as well guys if you like this video now kindly share and subscribe because it is a I am putting my all effort to do uh if you can share and subscribe now so that is good for me right my while copying do not copy any space okay otherwise it will not not work okay okay AWS let me show you configure list what is the difference right now okay this is environment right now it is using environment this is not using what we have set uped now this is not a secret key access key of I am user this is using this temporary tokens okay this is generated from temporary token from STS endpoint okay this had a sometime validity so what what exactly the permission of the role let me show you which role this is credential is created this is our role right sorry this is our role terraform role it has a S3 f xes i this this ec2 F XIs S3 F XIs right so let me show you and S3 we do have and instance also we do have right so let me show you okay now this is this is assuming this temporary tokens okay and I'm I'm right to create clear this right and show you aw ss3 LS so it will create just a second invalid access key when calling the list bucket ID you provide does not EX in just hold for a moment okay guys this is the m same mistake I have done okay some space I have counted it okay copy it while doing the copy last time in front of you this is again I have typed right okay and then I have executive AWS S3 LS so this this is coming all the bucket let me show you because before which I am going to tell you the same thing happened with me doing the this lab right these are all bucket is showing this is the same AWS account asum I hope you got it if you like it this this video now kindly do share And subscribe okay these all bucket is coming inside the output and you know this uh we do have a E2 full access as well so let me show you just a minute let me hold for a moment okay so list instance ec2 instance already full access this is the command basically and uh it will give you a you know this e to instance ID okay let me show you this is the same e to ID we do have okay this is a0 this is a z okay so first part is done guys now we are moving to the second part right how to assume a role to AWS account right I am a one AWS account I am for this AWS account I I want to assume account B basically I do have two AWS account okay so what we need to do go to the graphical representation this is the single AWS account now we are going for second AWS account so account a we just need to create IM user same IM user we are going to create head the policy head policy to access account B Ro okay this is the account B I will show you and complete practical okay and this user both two you know same as command line assume rule uh CLI commands Okay and and account B what we need to do IMR has the S3 full access we need to create IMR with S3 full access we have created in account we already a one bucket trust permission modified it's the same as account R trust relationship modified added the account a I am user Arn interest right same way this I am user Arn we just need to add the same Arn into the uh account B so let's go for that right okay guys so we just need to uh unset there is a one command basically whatever the access token key we just need to set we just need to set unset okay okay now they will not AWS S3 LS right before that it is coming so list bucket operation we do not have AWS configure this is also a interview question how to unet during the assume Ro so so this is coming the rule otherwise if assume rule credition here it comes involment okay hope this is clear now we are going for the second scenario okay access key we needed okay so what change need to be done I will show you so I am user had the policy okay so going for I am user same I am user we are not going we are we had a same I am user this is the policy same account I just need to add policy different account okay I have already created the policy I'm just going to explain what what what need to be done just need to go manually you can create the policy right okay AWS not AWS manage it is my myself right this is the assume Ro account way I will show you what what exactly this is having inside that add permissions okay this is is also having the same okay asume Ro we do not have any permissions only this customer manage policy what exactly customer manage policy it is simple as a same account but here it is a role S3 account B and this is account B ID this account ID this is 4536 but this account ID previous one this is the same account ID okay before that okay same account it is the same but this is the different one and what is the role name S3 account B so now we want to go for account B account B 7594 okay this this is the account a ID different this is account B we want to assume R this this S three resources okay so let's go for uh this account okay I think I have opened this is in inside this right uh incognito window 7594 okay this is so what I need to do I have already created S3 Ro account me okay you can also need to you have you you can create simple we we have two ways to create this simple account role and modify the trust relationship and directly you need to create this one as well create AWS account just need to give my other account 84536 before that account ID and just need to create okay but it will give you a wide AIS okay but we do not want to do wide AIS okay and continue so I will through this right I have this way I have created this account so let me show you what is the difference interest relationship through selecting AWS Elder account so this is this is also coming but this is not a good way as for the security perspective we do not give root root means any user had the same level permission he can assume but we should have a you know uh specific principle so this is a good way unless if if if you have a this type of the functionality so you can do that only okay but please avoid this right this is my okay so I have created account S3 Ro and this account has a S3 full access I can I can give you S3 okay this is the S3 permissions and this is the one cable only one bucket okay Cloud running AWS inside this right and let me show you account B this is the S3 bucket and what is the trust relationship same this is the 4536 where from where I want to assume so this is the I am user assume role okay this is my first user okay STS assume Ru is action nothing need to be done any anything okay this is manually created okay I just need to modify Arn of the I am user which user want to assume right you know there are two two different account so let's go for the example I mean demo hope this is clear to you let me tell you I am rule has the S3 full access trust modified I added the account a I am user this is account a right I am user I have added already showed that and this now we we just need to assume account B okay so let me I have already copied the command okay so this is the command Arn 7794 S3 Ro account B and this is just need to copy and need to execute it this I'm just stopping video just copying out okay this access secret key I have just copied this right just need to I show you this is this is same and all these session tilt session token I have copied what I'm doing I'm just copying this right crl C I'm just copy it right okay I'm again this copy contrl C there go this is the this is the you know space due to this it is not working last time okay so you just need to do this way okay control C and this way do yeah control C no space right and this way now which account bucket will come account B ews S3 LS cloud learning bucket it is coming only right and how this is the why it is coming just because of this assume rule setting is the same Arn and this is this is the rle Arn of 7534 I just need to do AWS configure list okay so it is environment okay it is coming the through the gy Roll Clear now just hold for a moment I will show you one more question if you guys like this video kindly do share and subscribe now first concept is done in the same video second concept is done Max duration concept is also right okay by default we can assume rle credal will work only 1 hour okay let me show you how okay I will show you the this this this is the role we are going to assume this is a Max session hour is 1 hour and Counting Matrix in second okay let me show you which error will come right I I want to assume this rule once again I mean I want to create uh temporary tokens for this rule but two hours so how it will react okay I have already set up this right okay and this is this is the one right this is duration in second 7 to 200 second means 2 hours so it will give you error because maximum duration we can assume for 1 hour but I have entered this is 2 hours right let me enter clearly give you the Sol session okay so what what permissions what permissions we did basically right now AWS configure I want to show you this as well right okay environment to through environment we can we cannot assume because right now environment access key secret key so we cannot assume so first we need to unset this variable okay unset this parameters how we can do that last time we show you unset this right before this I will show you one more interview envirment this is coming in environment okay inside this environment it will come right access key ID this is coming right okay which we have saved right and and uh let me tell you one more thing access token ID okay AWS access key ID AWS access secret ID inside the envirment right it will come okay let me unset this right running this command oh sorry I have copied Okay contrl C this is the command right okay okay now again I I'm going to run envirment there is no n nothing access key and secret key ID now it is AWS configure config already configur list now this is the I am user credential right now okay hope you got it now what I need to do I will show you Max duration uh create a Max duration issue which I'm going to show you right okay guys if you like this video kindly do share and subscribe I will create next videos for kubernetes but before the kubernetes doer I have to create a p and Tom deployment basically this is must for this right the requested durations X second exceed the max session okay this is the interview question as well right okay from where you can see this Mex session you can addit this right you can also addit this this value right maximum second so 12 hours so it will execute for 12 hours okay by default it is 1 hour and if you if you are not declaring this variable Max duration second so it will create uh as far as my understanding only 15 minutes temporary session token these session tokens valid only for 15 minutes okay so this is this is the live demo for single AWS account and two AWS account okay guys if you like this video kindly do share and subscribe and I will create uh next Apache deployment tomet deployment and then we'll move to the microservices deployment like doer doer files kubernetes and kubernetes thank you thanks for watching thanks a lot
Info
Channel: AWSCloudAutomation
Views: 94
Rating: undefined out of 5
Keywords: IAM, assume, role, example, cross, account, aws, security, credentials, sts
Id: OYLVh-vP9J0
Channel Id: undefined
Length: 27min 13sec (1633 seconds)
Published: Tue Jul 09 2024
Related Videos
Lab2: AWS IAM Policy deep dive | Resource and identity based | ACL | multifactor conditional policy
AWSCloudAutomation
18
LAB : AWS S3 bucket deep dive | restore deleted object | website hosting | versioning | tutorial
AWSCloudAutomation
121
NASA Finally Orders SpaceX Dragon To Rescue Starliner Astronouts!
Space Trends
113K
How to Create, Attach, Mount, and Migrate Block Storage in AWS
ITechGrow
14
AWS Solution Architect | IAM Assume Role - Part 7
Rahul Wagh
2.2K
Second Lab Terraform: Create EC2 instance using terraform | remote provisioner | exec SSH example
AWSCloudAutomation
107
How do I allow users or roles in a separate AWS account access to my AWS account?
Amazon Web Services
46K
The cloud is over-engineered and overpriced (no music)
Tom Delalande
485K
How to Set Up AWS IAM Identity Center and AWS Organizations | AWS Tutorial for Beginners
Tiny Technical Tutorials
22K
AWS ECS Tutorial | Deploy a New Application from Scratch | KodeKloud
KodeKloud
125K
Lab : how to use terraform module output to another module as input | AWS cloud example
AWSCloudAutomation
163
AWS Interview Questions and Answers 2024
Cloud Champ
56K
AWS Solution Architect | AWS CLI (Command Line Interface) - Part 10
Rahul Wagh
2.1K
Lab: AWS S3 bucket transfer acceleration example | tutorial | production enable live demo
AWSCloudAutomation
117
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.