Skip to content

Cross Account ARN

The AWS accounts are organized into a structure consisting of a "master" account and several "user" accounts. This eliminates the necessity of creating separate cloud credentials for each individual user account.

Add Multiple AWS User Accounts

  • Login to AWS Console and add the list of target account in a policy. Below is an illustrative policy encompassing all the necessary assumeRole permissions for facilitating cross-account access.
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "iam:ListPolicyVersions",
                "iam:GetPolicy",
                "iam:GetPolicyVersion",
                "iam:ListAttachedRolePolicies"
            ],
            "Resource": "*"
        },
        {
            "Sid": "VisualEditor3",
            "Effect": "Allow",
            "Action": "sts:AssumeRole",
            "Resource": "arn:aws:iam::200143372387:role/childrolearn"
        }
    ]
}

Where Resource: arn:aws:iam::200143372387:role/childrolearn is the child account role ARN associated with a master account. You can have many child accounts that the master role can assume.

The resource field contains the ARN of the target account's role, which already possesses the necessary permissions for EKS cluster creation.

In the master role account , we require a trust relationship with the controller aws account. Additionally, the child role accounts assumed by the master role must also establish a trust relationship with the controller aws account.

Trust Relationship policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::<controller aws account id>:root"
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "StringEquals": {
                    "sts:ExternalId": "xxxexternal_idxxx"
                }
            }
        }
    ]
}

The controller aws account ID and external ID will be available when creating role-based cloud credentials on the controller.

To fetch the AWS child account, the master account must have the following permissions in the policies

  • iam:ListPolicyVersions
  • iam:GetPolicy
  • iam:GetPolicyVersion
  • iam:ListAttachedRolePolicies

Refer to IAM policies for different scenarios. You can find more information in IAM Policy

Explore our blog for deeper insights on AWS Cross Account Support for EKS LCM, available here!