Support for Assume Role in S3 Snap

As a developer in a multi account AWS environment that supports several initiatives, I occasionally need to access S3 buckets in different accounts. The acceptable and securely documented way for assets in accountA to retrieve assets in another or use services in accountB is to grant a user in accountA access to assume a role created in accountB with the proper permissions.

This feature has been around for some time and is well documented both in AWS blogs and their SDK. See the following:

https://docs.aws.amazon.com/AWSJavaSDK/latest/javadoc/com/amazonaws/auth/STSAssumeRoleSessionCredentialsProvider.html

Hi, our AWS S3 account does have an IAM role check box. As long as the IAM role is well set up on AWS
and on the Ec2 Groundplex nodes (https://docs-snaplogic.atlassian.net/wiki/spaces/SD/pages/1439090/S3+File+Writer)
querying the role using below url returns the AccessKeyId, Secret key
[ec2-user@ip-xx-xxx-xxx-xxx ~]$ curl http://169.254.169.254/latest/meta-data/iam/security-credentials/theIAM-Role
I think it should work fine.

That does not work for us.

This is how we are setup:

  1. In Account A, an AWS instance profile is attached to the groundplex
  2. A role is attached to that instance profile that allows the user of that role to assume a role into another account
  3. Using number 2, we need to access an S3 bucket in Account B leveraging sts assume-role

At this time snaplogic fails to access the bucket. In order to access the bucket in another account, it needs to be able to assume a specific role that I cannot provide in the snap.

From the instance itself, I am allowed to use assume role to get security credentials as confirmation that this process works.

Please look at the following link:

hi, ah sorry if you meant you couldn’t do below from the snap:
Now login into this instance to assume the role in Account A. The following command will return the the access key, secret key and security token.

aws sts assume-role --role-arn “arn:aws:iam::Account_A_ID:role/RoleForB”
–role-session-name “EC2FromB”

then its best to check further with our Support.