I have 2 AWS accounts in this usecase,
Account A is where my EKS cluster resides and I would like to access this cluster from Account B specifically the API server endpoint and certificate data which I can get via eks:DescribeCluster action.
To be specific, my lambda runs in Account B and has to get the above data from the EKS cluster in Account A, to achieve this what is the best possible solution?
The approach that I took is performing chained sts:AssumeRole action to achieve the above i.e. Account B Lambda role assumes a role in Account A (this role TrustPolicy is updated to do that) and it works, however I would like to know what other alternate solution is available for this usecase.
Thanks
You need to create cross account policy for that:
Allow assume role for lambda:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::Account A:role/my-lambda-execution-role"
},
"Action": "sts:AssumeRole"
}
]
}
And for you EKS:
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::Account A:role/role-on-source-account"
}
}
Assuming that role allows eks:DescribeCluster
This reading explains s in more details: https://repost.aws/knowledge-center/lambda-function-assume-iam-role. Experiment with IAM roles until you get desired effect.