I keep forgetting this: in AWS, you can access a resource across accounts directly if the resource can have an IAM policy attached to it (i.e. the resource supports “resource-based policies”; examples are S3 buckets, or SQS queues).
However, most AWS services do not support resource-based policies.
In those cases, you need to use “identity-based policies” to do cross-account resource access, i.e. use IAM Roles. (Create a role in the same account the resource is in [with the correct permissions for accessing the resource], and then allow users/roles from the other account to assume said role.)
tl;dr: Q: why dont this work????
Acct A Acct B
IAM Role ThingGetter ---> svcResource (that requires svc:GetThing)
Allow: svc:GetThing*
Principal: "*"
A: cos svcResource
can’t have an IAM policy attached to it. You need to do:
Acct A Acct B Acct B (still)
IAM Role RoleAssumer ---> Role ThingGetter --> svcResource (that requires svc:GetThing)
Allow: iam:AssumeRole Allow: svc:GetThing*
Principal:
":::acct-b:role/ThingGetter"
This blog was supposed to be micro :/
Docs: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies-cross-account-resource-access.html