Thank you for this video! I remember while I was going through the interview, this kinda of question was asked. I wasn't sure at that time and had to ask many people working on AWS how to do that. This video cleared my doubts, learnt something today. Thanks a lot, Sir! Keep doing good for us.
This tutorial/demo is amazing! It clearly explains how to set up cross account roles/access. It is much much better than official AWS documentation. Thank you!!!
Thanks for your appreciation. You can support our initiative of Free Practical Cloud Tutorials by sharing this video with your friends on Social channels, whatsapp etc. If it helped you solve a problem and you would like to applaud us, click the Applaud button :) For regular 1-1 interaction with me, check our Membership - ruclips.net/channel/UCzpHRBVnkzBfSsXostYuW1gjoin ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Hello, Last week I went through the another AWS course. I understood the concept. But on my own I could not do it, because in that training he is using cloud formation template and role is created automatically. This first time I realize how to create STS:Assume role and restrict it to the specific individual. Now if I go back the training course, I can join the dots backwards. Thanks a lot for this. The best point in this video is when went ahead without creating STS Assume role and made viewers to think. I look forward to your "Online" Handson training. The last impression of this video was "use of real world use cases" because you normally get these situation in day to day life.
Thanks Manish. SUBSCRIBE to RUclips channel: ruclips.net/user/knowledgeindia Watch our videos in correct order: bit.ly/2GVzLti Connect on LinkedIn, receive AWS updates & Practical Scenario Questions - bit.ly/2XC5bZg If you have got benefited, you can support us on PATREON: bit.ly/2TzxTbb Join AWS Practical Learning Group on LinkedIn: bit.ly/2Vx7aOi SUBSCRIBE to our blog for AWS exercises & case-studies: www.knowledgeindia.in/
Sir you to Good explanation each and every content of this video also and other videos which I seen nice to explain basic and deep learning thanks for sharing
apart from role policy being restricted to Gopal, is it not true that Komal is not able to to log in "also" because she has not been given switch role permissions via STS role's API.
Thank you sir. This is very helpful. I have a question beyond this part. Say I have 2 users user1 and user2, part of "assumeRoleGroup", on KI2 and i want all users part of "assumeRoleGroup" to be able to assume role on KI3 and no one else. How do I do that? I tried adding the arn of the group to Trust relationships on KI3 but that failed - gave me an error. Looking forward for you suggestion
You cannot identify a user group as a principal in a policy (such as a resource-based policy) because groups relate to permissions, not authentication, and principals are authenticated IAM entities.
Thank God....I found AWS awesome channel .....I ma very new to AWS , Please let me How can I crack AWS associate Architecture exam???....I started watching Videos from your channel...and It just awesome Sir....
Sir why was user Gopal assigned read only permissions only in KI2 account. I mean if Gopal had been assigned full access in KI2, would that have made a difference considering that the role assumed already is customised to be read only accessible.
If you are specifying account ID in "trust relationship" policy, then the accounts could actually belong to 2 different AWS orgs. Glad this video helped! I am sure you will like our recently released KMS MasterClass video as well, check it here - ruclips.net/video/8ailVnVPigk/видео.html
Thanks for the video. I have a question, Instead of creating a group and adding users in 2nd account, Can we add Gopal and Komal as trusted users while giving permissions in Another AWS account option(role permissions) window?
I have an java app running in EC2 instance which makes use of aurora rds in another account as its data base ...can we implement this scenario using this ?
That was detailed ! One quick question regarding STS. Since assume role is under STS, in this use case once the user gopal assumes role in KI3 what would be the credentials used ? i mean will temporary credentials with a token be generated and used ?
The tutorial was great. I was able to successfully delegate the role, but having problems creating a separation between environments (prod and demo). I have tried to add resourcetag to both IAM roles and STS and neither or working. I want a user with AdminAccess to have that access but limit him or her to demo or prod. Can you please provide some guidance on this topic? Thank you for the videos.
Hi, Congrats on becoming our member. I will help you on this. Could you please elaborate this more on an email to me? Or, if you want we can take this up in our interaction for this month. We can setup some suitable time and help you over ZOOM/Live meeting.
I have a quick question , if i have server side encryption enabled at the bucket and i do give another cross account role permission to put data in bucket , but the cross account owner insists on client side encryption , i understand this can be done by sharing KMS key and they can use any SDK at their end to achieve it . a) Is it is possible to achieve this? b) When Retrieving the object out of the bucket then we would need to use the same KMS key to decrypt the object after downloading the object from bucket ? Regards Rahul
Rahul, I think you are mixing server and client side encryption. Normally, you would choose to implement one out of two. Please read - docs.aws.amazon.com/AmazonS3/latest/dev/UsingClientSideEncryption.html
If you choose server side encryption, you don't need to do anything to encrypt and decrypt. Just that permission should be there to use Kms by the respective accounts
@@knowledgeindia but if they are doing client side encryption then the object that is going to be uploaded is an encrypted one isn't it ?? In that case don't we need to decrypt it if we need to do something with that object
Thanks for providing such a clear content free, I am trying to understand what fits my use-case, lets say I have a binary which I need to run in another EC2 - VPC-peering / VPN / ?? .
Great video!! you just earned another subscriber. quick question though. now that you have created user grp and attached inline 'assumerole' policy, we don't have to modify trust relationship to explicitly deny komal's permission? assuming komal is not the part of that user grp.
@@knowledgeindia reassuming is heptic, yes I gave role to someone with 8hrs session but I will meet him tomorrow and will check if he's still able to access my resources. Don't want to spoil someone's weekend hahaha
FYI for programmatic access behavior is not so, you'll create the arn entry in config files to assume, it keeps on extending the session. This was told to me didn't check it in lab
I have below requirnment: I want to see all child account cloudwatch alarms on parent account and from that account i am going to integrate it with my MOM layer... How can i see all account alert in my parent account Secondly, I want to trigger SNS topic which is available in my parent account and i want to trigger it from my child account..
Wonderfully explained the 'oops' and 'gotchas' here. Watched it twice to understand it fully well. I see why the account granting access would want to restrict only to the legitimate users(Gopal). But going by principle of least privilege, Komal should not be given the STS access altogether if there really is going to be no need for her. Was it necessary?
Devang, that's more for the demo. Also, it is possible that Komal is allowed to assume role in some other AWS account. But, she should have Assume Role as the first step, isn't it?
precisely explained, well done my friend. Keep it up the good work....👍 one query: If any object is uploaded to S3 bucket named KI3 of KI3 account by user Gopal of KI2 account; will a user name Ram in KI3 account, be able to download the same object ffrom KI3 bucket of KI3 account (assuming appropriated policy is attached to IAM user Ram with download policy)?
why did you assign read only access to gopal in ki2 ( does it has any thing to view objects in ki3 ........ i think no ) ........... this is bit confusing .........hope i try to explained my question clearly
Hello Sir......Let's suppose we have 100 users in my AWS account and I want only 90 users to be able to access the other account.....then do we have to edit the trust relationship for each of them, or there is any other way to do it in one shot.......Thanks in advance
I'm explaining below what I understood Please correct me if my understanding is wrong here Let's say users in acc b wants to access resources in acc a Step1- acc a needs to have a role that should be allowing acc b users (arn) Step 2 - acc b needs to have the users mapping arn in above step besides this policy with service sts and permission assume role should be assigned to users. Verification - acc b user login, then switch role, he need to know acc a details which are acc number of acc a and also the role name he created
Thanks for wonderful series Regarding cross account access How to give group of users cross account access in trusting account I can not add group in trusted entity because it is not principal can you suggest
I don't believe you should create IAM users for every employee. And also copying the same IAM roles between hundreds of accounts is just a waste of time.
Thank you for this video!
I remember while I was going through the interview, this kinda of question was asked. I wasn't sure at that time and had to ask many people working on AWS how to do that.
This video cleared my doubts, learnt something today. Thanks a lot, Sir!
Keep doing good for us.
Sure. Please share and support us
so now , you are working on aws cloud?
This cross account access is very useful especially for working people. You explained it very clearly with out any confusion.
This tutorial/demo is amazing! It clearly explains how to set up cross account roles/access. It is much much better than official AWS documentation. Thank you!!!
Amazing, wonderful, concept-clearing video.
Another fine video tutorial. Thank you for demonstrating this feature - it is finally clear to me.
This is very clearly explained. Thanks to you.
Amazing clarity of thought and flow of explanation. Kudos to the creators!
Excellent explanation and demo. I was struggling to understand switch role concept. Now its very clear. Thank you so much Sir
Thanks for your appreciation. You can support our initiative of Free Practical Cloud Tutorials by sharing this video with your friends on Social channels, whatsapp etc.
If it helped you solve a problem and you would like to applaud us, click the Applaud button :)
For regular 1-1 interaction with me, check our Membership - ruclips.net/channel/UCzpHRBVnkzBfSsXostYuW1gjoin
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Hats off to you for such amazing content. You know where a user can be stuck and emphasize on this portion. Superb
Thank you. You can support this initiative by sharing our videos. 👍👍
Hello,
Last week I went through the another AWS course. I understood the concept. But on my own I could not do it, because in that training he is using cloud formation template and role is created automatically. This first time I realize how to create STS:Assume role and restrict it to the specific individual. Now if I go back the training course, I can join the dots backwards. Thanks a lot for this. The best point in this video is when went ahead without creating STS Assume role and made viewers to think. I look forward to your "Online" Handson training. The last impression of this video was "use of real world use cases" because you normally get these situation in day to day life.
Sure. Do visit knowledgeindia.in to know the details and calendar
There is a hands on training starting now. Visit knowledgeindia.in and register if you want
Superb scenario based video...kudos to KI..
Thanks a ton. Please do share with your friends..
Very nice explanation with use case.
very well explained ,lot of clarity
Glad it helped! I am sure you will like our recently released KMS MasterClass video as well, check it here - ruclips.net/video/8ailVnVPigk/видео.html
an awesome explanation for cross-account access
Thanks Manish. SUBSCRIBE to RUclips channel: ruclips.net/user/knowledgeindia
Watch our videos in correct order: bit.ly/2GVzLti
Connect on LinkedIn, receive AWS updates & Practical Scenario Questions - bit.ly/2XC5bZg
If you have got benefited, you can support us on PATREON: bit.ly/2TzxTbb
Join AWS Practical Learning Group on LinkedIn: bit.ly/2Vx7aOi
SUBSCRIBE to our blog for AWS exercises & case-studies: www.knowledgeindia.in/
thank you very much sir....understood it very well 😊😊
what a tutorial !! Amazing, simply Amazing !!
I Applauded :)
Thank you very much!
Very well explained, simple thing explained in an even simpler manner.
Don't stop at this .. Do watch more complex topics on our channel..
The use cases you present is great! Thank you :)
Please subscribe to get all the future updates
Thanks 🙏👍 a lot.
For you I got my RUclips channel back.
Awesome video. This deserves like a hundred thumbs up from me.
You can share the video on LinkedIn and help us
well demonstrated, enjoyed this video. thanks a lot.
Thank you for sharing this information 🎉
Glad it helped! I am sure you will like our recently released KMS MasterClass video as well, check it here - ruclips.net/video/8ailVnVPigk/видео.html
Sir you to Good explanation each and every content of this video also and other videos which I seen nice to explain basic and deep learning thanks for sharing
Thanks a lot.. Please LIKE & SHARE to support us...
Thanks a lot sir.. You clear my doubt.. Excellent
Thanks. You can support us by sharing the video
A GOOD AND AMAZING CONTENT, THNKS FOR IT
Nice explanation.. Well 👍
Nice explanation... subscribed
Great work
Fantastic
apart from role policy being restricted to Gopal, is it not true that Komal is not able to to log in "also" because she has not been given switch role permissions via STS role's API.
exactly my question!
"One of the best AWS Tutorials on the net....", kudos KI. One request -> Can you please do a session on IAM permission boundaries..
Sure will do it soon. Keep sharing and supporting us
Its one of the best video
Thanks Ravindra :) Please share with your friends as well and help us.
Superb. Thankss
Very well explained ..
Please do share with your friends .. Thank you...
Great video, thanks a lot!
Awesome explanation ☺️
Thanks Veeru :) Please share with your friends on Linkedin / FB
Thank you sir. This is very helpful. I have a question beyond this part.
Say I have 2 users user1 and user2, part of "assumeRoleGroup", on KI2 and i want all users part of "assumeRoleGroup" to be able to assume role on KI3 and no one else. How do I do that? I tried adding the arn of the group to Trust relationships on KI3 but that failed - gave me an error.
Looking forward for you suggestion
You cannot identify a user group as a principal in a policy (such as a resource-based policy) because groups relate to permissions, not authentication, and principals are authenticated IAM entities.
Thank God....I found AWS awesome channel .....I ma very new to AWS , Please let me How can I crack AWS associate Architecture exam???....I started watching Videos from your channel...and It just awesome Sir....
follow the playlist and do practicals as well.
Sir why was user Gopal assigned read only permissions only in KI2 account. I mean if Gopal had been assigned full access in KI2, would that have made a difference considering that the role assumed already is customised to be read only accessible.
awesome tutorial sir! thanks a lot!
you are the best :) waiting for IAM policies session
Thanks Kiran.. Please extend your support by sharing our videos with your friends.
@@knowledgeindia sure thing and I'm already sharing your videos to my friends
Thank you so much Sir..
Very Good
wonderful work!
Thank you! Cheers!
Well explained!
Thanks! Please share our video and support us to do more..
Great video
Please check out our playlists for more AWS practical videos
Thanks! for the video , Just got a thought , I was wondering if the same thing could be done between two AWS organizations?
If you are specifying account ID in "trust relationship" policy, then the accounts could actually belong to 2 different AWS orgs.
Glad this video helped! I am sure you will like our recently released KMS MasterClass video as well, check it here - ruclips.net/video/8ailVnVPigk/видео.html
Thanks for the video.
I have a question, Instead of creating a group and adding users in 2nd account, Can we add Gopal and Komal as trusted users while giving permissions in Another AWS account option(role permissions) window?
Good explanation
Thank you. Please do check out other videos on our channel as well for the same type of content..
Nice one. thanks KI!
keep supporting us, by sharing our videos..
Thanks for the good explanation, once this set up is done. how to achieve cross-account sign in using AWS CLI
Is there a way when you create the role on KI3 to use the ARN for a particular user?
Yes. Specify that user's Arn in the trust relationship.
Watch our complete security playlist for more
@@knowledgeindia That seemed like a second step.
Sir why did user Gopal have to sts assume role?
I have an java app running in EC2 instance which makes use of aurora rds in another account as its data base ...can we implement this scenario using this ?
if you are using DB level user & password, then peer the VPCs and then it will work. IAM does not have a role there.
That was detailed !
One quick question regarding STS. Since assume role is under STS, in this use case once the user gopal assumes role in KI3 what would be the credentials used ? i mean will temporary credentials with a token be generated and used ?
Yes
Greatttttt!!!!!
How to configure same thing using AWS CLI...?
Nice video.
This video covers read-only access to KI3
How do provide Admin access to KI3 only for particular user who is on KI2?
Create an IAM role and add administrator policy to that user. Set us trust relationship correctly.. Watch the video once again to get it clearly.
The tutorial was great. I was able to successfully delegate the role, but having problems creating a separation between environments (prod and demo). I have tried to add resourcetag to both IAM roles and STS and neither or working. I want a user with AdminAccess to have that access but limit him or her to demo or prod. Can you please provide some guidance on this topic? Thank you for the videos.
Hi,
Congrats on becoming our member. I will help you on this. Could you please elaborate this more on an email to me? Or, if you want we can take this up in our interaction for this month. We can setup some suitable time and help you over ZOOM/Live meeting.
I have a quick question , if i have server side encryption enabled at the bucket and i do give another cross account role permission to put data in bucket , but the cross account owner insists on client side encryption , i understand this can be done by sharing KMS key and they can use any SDK at their end to achieve it .
a) Is it is possible to achieve this?
b) When Retrieving the object out of the bucket then we would need to use the same KMS key to decrypt the object after downloading the object from bucket ?
Regards
Rahul
Rahul,
I think you are mixing server and client side encryption. Normally, you would choose to implement one out of two.
Please read -
docs.aws.amazon.com/AmazonS3/latest/dev/UsingClientSideEncryption.html
If you choose server side encryption, you don't need to do anything to encrypt and decrypt. Just that permission should be there to use Kms by the respective accounts
@@knowledgeindia but if they are doing client side encryption then the object that is going to be uploaded is an encrypted one isn't it ??
In that case don't we need to decrypt it if we need to do something with that object
Also is it not possible to do client side encryption if we have server side encryption enabled on s3 bucket ??
Yes you will have to decrypt in case when client side encryption used.
If you want you can do both, but normally one is done at a time.
Thanks and very nice video :)
Please SHARE and support us.. :)
very well explained...can you do a session where showing multiple issues regarding this switch role on real scenario based and how to tackle that...!!
how to do this terraform ?
Best one
Thanks for providing such a clear content free, I am trying to understand what fits my use-case, lets say I have a binary which I need to run in another EC2 - VPC-peering / VPN / ?? .
can you please explain what is STS in detail and in which cases we have to use STS policy
Great video!! you just earned another subscriber. quick question though. now that you have created user grp and attached inline 'assumerole' policy, we don't have to modify trust relationship to explicitly deny komal's permission? assuming komal is not the part of that user grp.
How can i do the same thing through CLI or API ?
Thank you!
You're welcome! please share it with your friends and help them as well.
Also I have a doubt in 10:01 i see that there is api session as 1 hour what is that option, what it does??
that's the duration for which the temporary credentials would be valid for this IAM role (after assumption of the role).
@@knowledgeindia so what after that duration??
either assume again OR this attribute could be increased to higher value as well, but cannot be indefinite. Try it out by doing it practically.
@@knowledgeindia reassuming is heptic, yes I gave role to someone with 8hrs session but I will meet him tomorrow and will check if he's still able to access my resources. Don't want to spoil someone's weekend hahaha
FYI for programmatic access behavior is not so, you'll create the arn entry in config files to assume, it keeps on extending the session. This was told to me didn't check it in lab
Great
Thanks Vijay.
I have below requirnment:
I want to see all child account cloudwatch alarms on parent account and from that account i am going to integrate it with my MOM layer...
How can i see all account alert in my parent account
Secondly, I want to trigger SNS topic which is available in my parent account and i want to trigger it from my child account..
Wonderfully explained the 'oops' and 'gotchas' here. Watched it twice to understand it fully well. I see why the account granting access would want to restrict only to the legitimate users(Gopal). But going by principle of least privilege, Komal should not be given the STS access altogether if there really is going to be no need for her. Was it necessary?
Devang, that's more for the demo. Also, it is possible that Komal is allowed to assume role in some other AWS account. But, she should have Assume Role as the first step, isn't it?
@@knowledgeindia : Right. So, we have the classic answer here "It depends" :).
precisely explained, well done my friend. Keep it up the good work....👍 one query: If any object is uploaded to S3 bucket named KI3 of KI3 account by user Gopal of KI2 account; will a user name Ram in KI3 account, be able to download the same object ffrom KI3 bucket of KI3 account (assuming appropriated policy is attached to IAM user Ram with download policy)?
Yes he would be
Please share our videos with friends
nice video. i follow all you videos. my sincere request, please do not add music.
Hello ki please upload deep dive of redshift service
Very nice tutorial. Just one question. How do I add multiple users (i.e. >1) in Trust relationship?
as you add multiple values in an array - separated by comma. give their full ARNs separated by comma. Please Like & Share with your friends.
@@knowledgeindia Sure. Appreciated.
I have multiple vpc in one account and one user I have to give access of only specific vpc and not other vpc and other resources is it possible
Use conditions in IAM policy
why did you assign read only access to gopal in ki2 ( does it has any thing to view objects in ki3 ........ i think no ) ........... this is bit confusing .........hope i try to explained my question clearly
Good question. Try to test it first without allocating it. You will be clear then.
Hello Sir......Let's suppose we have 100 users in my AWS account and I want only 90 users to be able to access the other account.....then do we have to edit the trust relationship for each of them, or there is any other way to do it in one shot.......Thanks in advance
@@knowledgeindia i tried but it doesnt allow me. Could you help to allow to only for one group?
@@knowledgeindia An error occurred: Invalid principal in policy: "AWS":"arn:aws:iam::**************:group/ReadOnlyAccess"
Looks like group can not be specified
@@knowledgeindia what is the limit of the user on a role?
Nice explanatory video, thanks. But the background music is unnecessary and very disturbing while you try to focus on the content.
Thank you. Will take care of it in the future.
Check our playlists for more :)
Please share Playlist for AWS videos.
you can visit the playlist section on our channel.
I'm explaining below what I understood
Please correct me if my understanding is wrong here
Let's say users in acc b wants to access resources in acc a
Step1- acc a needs to have a role that should be allowing acc b users (arn)
Step 2 - acc b needs to have the users mapping arn in above step besides this policy with service sts and permission assume role should be assigned to users.
Verification - acc b user login, then switch role, he need to know acc a details which are acc number of acc a and also the role name he created
Perfect.. But, i suggest that you also do it and be confident :)
Share with your friends on Linkedin / FB.
Thanks for wonderful series
Regarding cross account access
How to give group of users cross account access in trusting account I can not add group in trusted entity because it is not principal can you suggest
we will have to use IAM roles
All is Good but Why music Background
I made a mistake. Won't repeat it 🙀
what about cli access
You can do STS: assumerole
Great. Very helpful. But the background music is very distracting
This video is really helpful.Thank you so much.Kindly guide how to crack ACSAA-2019
thanks. please watch our playlists and read scenarios / questions in our blog. Join on Linkedin Group.
Can you please stop the background music... going fwd?
Yes done that already. Please check latest videos on our channel ✌️✌️
I don't believe you should create IAM users for every employee. And also copying the same IAM roles between hundreds of accounts is just a waste of time.
What would you recommend? 🤔
@@NoNo1913 Use SSO solution. E.g. AWS SSO, Okta, Auth0, or any other. That's industry standard for years now.
Background Music is annoying.
Brilliantly Done thanks a lottt for this video. Have a Great New Decade.
Thank you. Please do share..
Great video