Last active
April 28, 2020 18:48
-
-
Save reisjr/cabe1d19556ee4a376ec6006a45d1fce to your computer and use it in GitHub Desktop.
Sample AWS CLI to create all resources required for cross account access in a Kinesis Stream
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash -e | |
# This is an example on how to setup roles using CLI | |
# for cross account access in Kinesis. | |
# WARNING: You should review this code before using it on your account | |
# See https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html | |
if [ "$#" -ne 2 ]; then | |
CMD=`basename "$0"` | |
echo "./$CMD <profile-account-with-resource> <profile-account-use-resource>" | |
echo "Ex: ./$CMD prod-account dev-account" | |
exit 1 | |
fi | |
# Account with the resource | |
PROFILE_ACCOUNT_WITH_RES=$1 | |
# Account who wants to access the resource | |
PROFILE_ACCOUNT_ACCESS_RES=$2 | |
ACCOUNT_ID_WITH_RES=`aws sts get-caller-identity \ | |
--query "Account" \ | |
--output text \ | |
--profile $PROFILE_ACCOUNT_WITH_RES` | |
ACCOUNT_ID_ACCESS_RES=`aws sts get-caller-identity \ | |
--query "Account" \ | |
--output text \ | |
--profile $PROFILE_ACCOUNT_ACCESS_RES` | |
echo " ACCOUNT ID WITH RESOURCE: $ACCOUNT_ID_WITH_RES" | |
echo "ACCOUNT ID ACCESSING THE RESOURCE: $ACCOUNT_ID_ACCESS_RES" | |
echo "$ACCOUNT_ID_ACCESS_RES = CROSS ACCOUNT => $ACCOUNT_ID_WITH_RES (KINESIS)" | |
function print() { | |
echo "$1 ($2) - $3" | |
} | |
# Clean up | |
function clean_up() { | |
echo "Cleaning resources..." | |
echo "PROFILE: $1 ACC_ID: $2" | |
echo "PROFILE: $3 ACC_ID: $4" | |
aws kinesis delete-stream \ | |
--stream-name sample-stream \ | |
--profile $1 | |
echo "-" | |
print $4 $3 "Detaching AllowAssumeRoleOnAccountWithResource_Role" | |
aws iam detach-role-policy \ | |
--role-name "AllowAssumeRoleOnAccountWithResource_Role" \ | |
--policy-arn "arn:aws:iam::$4:policy/AssumeRole_Policy" \ | |
--profile $3 | |
print $4 $3 "Deleting AssumeRole_Policy $3..." | |
aws iam delete-policy \ | |
--policy-arn "arn:aws:iam::$4:policy/AssumeRole_Policy" \ | |
--profile $3 | |
print $4 $3 "Deleting AllowAssumeRoleOnAccountWithResource_Role $3..." | |
aws iam delete-role \ | |
--role-name "AllowAssumeRoleOnAccountWithResource_Role" \ | |
--profile $3 | |
echo "-" | |
print $2 $1 "Detaching AccountWithResource_Role $1..." | |
aws iam detach-role-policy \ | |
--role-name "AccountWithResource_Role" \ | |
--policy-arn "arn:aws:iam::$2:policy/Resource_Policy" \ | |
--profile $1 | |
print $2 $1 "Deleting Resource_Policy $1..." | |
aws iam delete-policy \ | |
--policy-arn "arn:aws:iam::$2:policy/Resource_Policy" \ | |
--profile $1 | |
print $2 $1 "Deleting AccountWithResource_Role $1..." | |
aws iam delete-role \ | |
--role-name "AccountWithResource_Role" \ | |
--profile $1 | |
} | |
# Create a sample resource | |
aws kinesis create-stream \ | |
--stream-name sample-stream \ | |
--shard-count 1 \ | |
--profile $PROFILE_ACCOUNT_WITH_RES | |
STREAM_ARN=`aws kinesis describe-stream \ | |
--stream-name sample-stream \ | |
--query "StreamDescription.StreamARN" \ | |
--output json \ | |
--profile $PROFILE_ACCOUNT_WITH_RES` | |
# Removing quotes | |
STREAM_ARN="${STREAM_ARN%\"}" | |
STREAM_ARN="${STREAM_ARN#\"}" | |
print $ACCOUNT_ID_WITH_RES $PROFILE_ACCOUNT_WITH_RES "Kinesis Stream created ARN - $STREAM_ARN" | |
POLICY_ARN=`aws iam create-policy \ | |
--policy-name Resource_Policy \ | |
--policy-document "{\"Version\":\"2012-10-17\",\"Statement\":{\"Sid\":\"SampleResourcePolicy\",\"Effect\":\"Allow\",\"Action\":[\"kinesis:PutRecord\",\"kinesis:PutRecords\"],\"Resource\":\"$STREAM_ARN\"}}" \ | |
--query "Policy.Arn" \ | |
--output text \ | |
--profile $PROFILE_ACCOUNT_WITH_RES` | |
print $ACCOUNT_ID_WITH_RES $PROFILE_ACCOUNT_WITH_RES "Policy $POLICY_ARN created." | |
aws iam create-role \ | |
--role-name AccountWithResource_Role \ | |
--assume-role-policy-document "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"arn:aws:iam::$ACCOUNT_ID_ACCESS_RES:root\"},\"Action\":\"sts:AssumeRole\",\"Condition\":{}}]}" \ | |
--profile "$PROFILE_ACCOUNT_WITH_RES" > /dev/null | |
print $ACCOUNT_ID_WITH_RES $PROFILE_ACCOUNT_WITH_RES "Role AccountWithResource_Role created." | |
aws iam attach-role-policy \ | |
--role-name AccountWithResource_Role \ | |
--policy-arn $POLICY_ARN \ | |
--profile $PROFILE_ACCOUNT_WITH_RES | |
print $ACCOUNT_ID_ACCESS_RES $PROFILE_ACCOUNT_ACCESS_RES "Role AccountWithResource_Role attached to Policy $POLICY_ARN ." | |
aws iam create-role \ | |
--role-name AllowAssumeRoleOnAccountWithResource_Role \ | |
--assume-role-policy-document "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"arn:aws:iam::$ACCOUNT_ID_ACCESS_RES:root\"},\"Action\":\"sts:AssumeRole\"}]}" \ | |
--profile "$PROFILE_ACCOUNT_ACCESS_RES" > /dev/null | |
print $ACCOUNT_ID_ACCESS_RES $PROFILE_ACCOUNT_ACCESS_RES "Role AccountWithResource_Role created." | |
POLICY_ASSUME_ROLE_ARN=`aws iam create-policy \ | |
--policy-name AssumeRole_Policy \ | |
--policy-document "{\"Version\":\"2012-10-17\",\"Statement\":{\"Effect\":\"Allow\",\"Action\":\"sts:AssumeRole\",\"Resource\":\"arn:aws:iam::$ACCOUNT_ID_WITH_RES:role/AccountWithResource_Role\"}}" \ | |
--query "Policy.Arn" \ | |
--output text \ | |
--profile $PROFILE_ACCOUNT_ACCESS_RES` | |
print $ACCOUNT_ID_ACCESS_RES $PROFILE_ACCOUNT_ACCESS_RES "Policy AssumeRole_Policy created. This Policy allows the assuming the role to execute operations on the target account." | |
aws iam attach-role-policy \ | |
--role-name AllowAssumeRoleOnAccountWithResource_Role \ | |
--policy-arn "$POLICY_ASSUME_ROLE_ARN" \ | |
--profile "$PROFILE_ACCOUNT_ACCESS_RES" | |
print $ACCOUNT_ID_ACCESS_RES $PROFILE_ACCOUNT_ACCESS_RES "AllowAssumeRoleOnAccountWithResource_Role created on account $PROFILE_ACCOUNT_ACCESS_RES." | |
echo "Waiting IAM propagate changes..." | |
sleep 5 | |
# Test the access from the account using the resource | |
print $ACCOUNT_ID_WITH_RES $PROFILE_ACCOUNT_WITH_RES "Sending test message to stream $STREAM_ARN with $PROFILE_ACCOUNT_WITH_RES" | |
aws kinesis put-record \ | |
--stream-name sample-stream \ | |
--data "Test" \ | |
--partition-key pk1 \ | |
--profile $PROFILE_ACCOUNT_WITH_RES | |
TEMP_ROLE=$(aws sts assume-role \ | |
--role-arn "arn:aws:iam::$ACCOUNT_ID_ACCESS_RES:role/AllowAssumeRoleOnAccountWithResource_Role" \ | |
--role-session-name AssumeCrossAccountRole \ | |
--profile "$PROFILE_ACCOUNT_ACCESS_RES") | |
export AWS_ACCESS_KEY_ID=$(echo $TEMP_ROLE | jq -r .Credentials.AccessKeyId) | |
export AWS_SECRET_ACCESS_KEY=$(echo $TEMP_ROLE | jq -r .Credentials.SecretAccessKey) | |
export AWS_SESSION_TOKEN=$(echo $TEMP_ROLE | jq -r .Credentials.SessionToken) | |
# Check temp role | |
aws sts get-caller-identity | |
# Test the access from the account using the resource | |
print $AWS_ACCESS_KEY_ID "assumed" "Sending test message to stream $STREAM_ARN with Assumed Role" | |
aws kinesis put-record \ | |
--stream-name sample-stream \ | |
--data "Test2" \ | |
--partition-key pk1 \ | |
--profile $PROFILE_ACCOUNT_WITH_RES | |
clean_up $PROFILE_ACCOUNT_WITH_RES $ACCOUNT_ID_WITH_RES $PROFILE_ACCOUNT_ACCESS_RES $ACCOUNT_ID_ACCESS_RES |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment