Accessing Secrets Using Cross Account Role between Two AWS Accounts.

Introduction :-

In the world of cloud computing, managing secrets across different #AWS accounts can be a challenging task. However, by using cross-account roles, we can simplify this process and enhance security. This blog post will guide you through the steps of accessing secrets using a cross-account role, providing a secure and efficient method for managing sensitive information across multiple #AWS accounts.

Prerequisites :-

Before we dive into the procedure, make sure you have the following:

• Two AWS account’s with the necessary permissions
• #AWS CLI installed and configured
• Basic understanding of #AWS Identity and Access Management (IAM)
• Familiarity with #AWS Secrets Manager

Tip: If you’re new to AWS, consider reviewing the AWS documentation on IAM and Secrets Manager before proceeding.

Procedure :-

Step 1: Create a cross-account role in Account-B

• Log in to the #AWS Management Console of the Account-B.
• Navigate to the #IAM dashboard.
• Click on “Roles” in the left sidebar, then “Create role”.
• Choose “Custom trust policy” as the trusted entity type.
• Add the below policy into the custom trust policy.

{
 "Version": "2012-10-17",
 "Statement": [
  {
   "Sid": "Statement1",
   "Effect": "Allow",
   "Principal": {
    "AWS": "arn:aws:iam::AWS_Account-A_id:root"
   },
   "Action": "sts:AssumeRole"
  }
 ]
}

• Click on next and add the “SecretsManagerReadWrite” permissions policy.
• Review and create the role, noting down the ARN of the new role.

Step-2:- Create #Kms key in the Account-A

• Login to the #Aws Account-A and navigate to the key Management service.
• Go to the customer managed keys and click on create a key.
• choose the key type as symmetric and usage as encrypt & decrypt.
• click on next and give an alias to the key, click on next.
• select the administrator for the key and add the below key policy into the key.

    {
      "Sid": "Allow account administrators to manage the KMS key",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::${Account-A-id}:root"
      },
      "Action": [
        "kms:*"
      ],
      "Resource": "arn:aws:kms:${region}:${Account-A-id}:key/Your-KMS-Key-ID"
    },
    {
      "Sid": "Enable cross account log decryption",
      "Effect": "Allow",
      "Action": "kms:Decrypt",
      "Principal": {
        "AWS": "arn:aws:iam::${Account-B-id}:role/cross-account-role-name"
      },
      "Resource": "arn:aws:kms:${region}:${Account-A-id}:key/Your-KMS-Key-ID",
      "Condition": {
        "StringEquals": {
          "kms:ViaService": "secretsmanager.ca-central-1.amazonaws.com"
        },
        "StringLike": {
          "kms:EncryptionContext:SecretARN": "arn:aws:secretsmanager:${region}:${Account-A-id}:secret:YOUR_SECRET_NAME"
        }
      }
    }

Step-3:- Create Secret in the Account-A

• Login to the #Aws Account-A and navigate to the secrets manager.
• Create a secret with the below resource permissions.
• Add the secret-key and values into the secret.

{
  "Version" : "2012-10-17",
  "Statement" : [ {
    "Effect" : "Allow",
    "Principal" : {
      "AWS" : "arn:aws:iam::ACCOUNT-B-ID:role/CROSS_ACCOUNT_ROLE_NAME"
    },
    "Action" : "secretsmanager:GetSecretValue",
    "Resource" : "*"
  } ]
}

• Select the encryption key(#KMS key) in which u have been created in step-1.

Step 4: Assume the cross-account role

Open a command prompt window and configure your #AWS account-2 credentials(Access Keys). Using the #AWS CLI, assume the cross-account role:

aws sts assume-role --role-arn arn:aws:iam::AWS_ACCOUNT_2_ID:role/ROLE_NAME --role-session-name MySession

This command will return temporary security credentials.

Step 5: Configure #AWS CLI with temporary credentials

Set the following environment variables with the values from the previous step:

export AWS_ACCESS_KEY_ID=<AccessKeyId>
export AWS_SECRET_ACCESS_KEY=<SecretAccessKey>
export AWS_SESSION_TOKEN=<SessionToken>

Step 6: Access the secrets

Now you can use the #AWS CLI or SDK to access secrets in the other account:

aws secretsmanager get-secret-value --secret-id MySecret

Conclusion :-

Accessing secrets using a cross-account role provides a secure and manageable way to share sensitive information across #AWS accounts. By following this procedure, you can maintain the principle of least privilege while still allowing necessary access to secrets. Remember to regularly review and update your #IAM policies and roles to ensure ongoing security of your #AWS environment.