0

How to have access token per user assuming a role in another account?

I have users which have an Access Token on the root account. They have access to another account (dev) through assumed role.

I'm stuck now because on the dev account, I don't have the same users. It means that I cannot give them an Access Token to be able to use ECR.

Do I need to create the users on both accounts?

Kaymaz
  • 223
  • 3
  • 11

2 Answers2

0

You are misunderstanding how AWS Cross Account Roles work.

First you create an IAM role for cross account access. Then you assign permission to the users to assume that role.

You do not need to have matching users in both accounts.

You do not hand out tokens to your users. Your AWS IAM users login to their AWS account and then assume the role that you created to temporarily switch their user identity to the other account.

If you want to track what each user does, then create separate roles for each user. Cloud Trail will then track everything. Enable Cloud Trail in both accounts.

How to Enable Cross-Account Access to the AWS Management Console

John Hanley
  • 4,287
  • 1
  • 9
  • 20
  • Thank you for the explanation. I have already this setup, but how to handle ECR login command for docker? It needs to have a token to push/pull images – Kaymaz Feb 22 '18 at 18:00
  • getting a docker login has IAM permissions, give the cross account role access to the ECR IAM privliages, then it should be able to use the `aws ecr get-login ` with the cross account role. – strongjz Feb 23 '18 at 14:26
0

You need to add --registry-id <assumed account id> to the aws ecr get-login command.

Kaymaz
  • 223
  • 3
  • 11