- [Seph] Now that you've seen what a role trust policy is in AWS IAM, I want to show it in action. What I'm going to do here is from my primary account, set up access for a user in another account to retrieve objects from my Amazon S3 bucket. As you learned, roles and the trust policies are used to establish the trust relationship between two accounts. Before we get started, I want to show you that for the "S3-x-account" user in the account ending in 2820, Amazon S3 access does not currently exist, let alone access to another account. In fact, this user doesn't have any access at all. As you can see, there are no policies associated with this user, which means that there are no permissions providing access. So, in the account that is providing access, in this case, it's the account ending in 9160, I'm going to create this role and policy. Starting with the policy, I'm already in the AWS IAM console page. I'm going to click on the Policies in the navigation pane and then Create policy. I have already created the policy providing read and write access to my bucket so I'm just going to paste my policy into the JSON section of the policy creation page. After I click Review policy, I'll name my policy and add a description. I'm naming it cross-account-s3 and just putting in a quick description. Now, I'll click Create policy and my policy has been successfully created. Onto the role creation. I'll click Roles in the navigation pane, and then click Create role. The AWS Management Console makes this a bit easier since it gives me the options of what I would need. In this case, I'll click the box for Another AWS account and input the secondary account number that I obtained in preparation for this task. Since both of these accounts are mine and this role is only going to be created temporarily, I don't need to require an external ID or MFA. I'll now click Next and move on to adding the permissions. This is where I could create a new policy, but since I've already created one for this task, I'll just search for 'cross account", select it, and then click next. I'm tagging this with the key value of purpose and demo so I can continue to track everything and then clicking Next to review. I'll name this role cross-account-demo and put a quick description. then I'll quickly verify everything is how I want, Then click Create role. And with that, my role is created. In order to move forward from here, I'll need the role's ARN. So I'll go into the role's details and copy that so I have it for later. So now that this account is ready to receive access, I'll need to go into my other account and tell it where to go. Sign into my account ending in 2820 and starting in the IAM Console, I'll go into my Groups and then into the details for the group I have prepared for this. I'll click on the Ppermissions tab, expand the Inline Policies section, and then click the link allowing me to create a new inline policy for this group. I'm creating a custom policy and clicking select will take me to the policy editor to create it. I'll call the policy cross-acct-access and paste in the policy where I've already added the role ARN I copied earlier. This policy is always the same, as it's just allowing users of this group to make the "sts-assume-role" call to the specified resource. That's why we needed the ARN of the role we created in the other account. It provides the specific resource we're putting into this statement. So with that done, I'll click Apply Policy, and we can see that the policy has been associated as an inline policy for this group. To test this, I'll sign into the console as the user I created for this demo, my "s3-x-account" user. On the console landing page, I'll click the dropdown next to my username in the upper right and then select Switch Role, which will bring me to the page where I input the role information. I'll click switch role, input the target account number, the role's name, and I can even choose what name I want displayed. I'll put cross-account-demo. The color allows me to easily differentiate between the roles in the console by highlighting them in the selected color. I'll choose green for this one. And now I'll click Switch Role. With that done, you can now see that the upper right has the display color and name that I selected. Clicking on it would allow me to switch to other roles if I had them set up, and allows me to switch back to my non-role user mode. Since this is supposed to give me S3 access, I'll go over to S3 and see if I'm able to access pr-bucket-ic1. I see the bucket listed there so I'll select it and try to upload. I'll drag an object in and click Next. I'll go ahead and leave all of this as default and click Next and then Next again. Clicking Upload, you see that my upload access was successful. I'm also supposed to be able to delete the object. Let's see if I can do that. I'll select this object, then click Actions and then click Delete. In this prompt, I'll click Delete. And as you can see, it was successful. And with that, I've completed the cross-account access demonstration. I hope that makes cross-account trusting a bit clearer for you. There are links in the course notes going into more detail about this process, and I'll go ahead and close this video. See you next time.
