Accessing AWS resources across accounts

I keep forgetting this: in AWS, you can access a resource across accounts directly if the resource can have an IAM policy attached to it (i.e. the resource supports “resource-based policies”; examples are S3 buckets, or SQS queues).

However, most AWS services do not support resource-based policies.

In those cases, you need to use “identity-based policies” to do cross-account resource access, i.e. use IAM Roles. (Create a role in the same account the resource is in [with the correct permissions for accessing the resource], and then allow users/roles from the other account to assume said role.)

tl;dr: Q: why dont this work????

Acct A                      Acct B
IAM Role ThingGetter  --->  svcResource (that requires svc:GetThing)
Allow: svc:GetThing*
Principal: "*"

A: cos svcResource can’t have an IAM policy attached to it. You need to do:

Acct A                           Acct B                  Acct B (still)
IAM Role RoleAssumer        ---> Role ThingGetter    --> svcResource (that requires svc:GetThing)
Allow: iam:AssumeRole            Allow: svc:GetThing*
Principal:
":::acct-b:role/ThingGetter"

This blog was supposed to be micro :/

Docs: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies-cross-account-resource-access.html