I was thinking for a while about how to explain this in the best way possible. I have two AWS accounts that I am trying to set up cross-account roles with, PROD, and MGMT.
The big picture; In my bitbucket repo there is a terraform ACM module that gets executed and authenticates with AWS (MGMT account) using OpenID Connect and assumes SCM role, using this role the script creates a certificate on the MGMT account and is supposed to verify that certificate by creating a CNAME record in the PROD account.
The certificate gets created by when the script tries to verify the record it fails with access denied, although I have got an sts-assume role under SCM role, and there is a role on the PROD that gives SCM role full access to Route53.
Role under MGMT account:
ARN: arn:aws:iam::987654321:role/bitbucket.pipelines
sts-assume role under SCM in the MGMT account:
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": [
"sts:AssumeRole"
],
"Resource": "arn:aws:iam::123456789:role/AWS-SCM-ROLE"
}}
Role in PROD account ARN:arn:aws:iam::123456789:role/AWS-SCM-ROLE:
Trust relationship:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::987654321:role/bitbucket.pipelines"
]
},
"Action": "sts:AssumeRole"
}
]}
Charts:
Bitbucket
+-------------+ OpenID Connect +-----------------+
| +-----------------------------> |
| Terraform | | MGMT Account |
| <-----------------------------+ |
+-------------+ Token: bitbucket role +-----------------+
Bitbucket
+-------------+ Execute TF ACM Module +-----------------+
| +-----------------------------> |
| Terraform | | MGMT Account |
| <-----------------------------+ |
+-------------+ Exit Code 0 +-----------------+
Bitbucket
+-------------+ ACM Cont. Execution +-----------------+
| +-----------------------------> |
| Terraform | | PROD Account |
| <-----------------------------+ |
+-------------+ Exit Code 1 +-----------------+
You can perform assume role in Terraform using the aws provider directly.
But if I understand correctly, you are more interested in what happens after Terraform has prepared your environment, and you want to enable the assume role of your scripts which are separate from Terraform.
So in our first role, which permissions are we getting from the policies? From here, there is no Action block enabling route53:Get etc. It can be hard to identify which account you are executing in when initially setting up these relationships. A handy aws cli command for debugging is:
aws sts get-caller-identity
This returns information about the role that invokes the command. This will help you ensure you are using the right identity (and that it is authenticated with current credentials) against the region & account you want to interact with in the context you execute from.
If this is not helping, please provide the error message and some more details about what these bitbucket scripts / pipelines are doing.