AWS Cross-Account AssumeRole Support

Avi Vantage can be deployed for Amazon Web Services (AWS) with multiple AWS accounts utilizing the IAM AssumeRole functionality that provides access across AWS accounts to the AWS resources/API from the respective accounts, instead of sharing user Access Key ID and Secret Access Key from different accounts.

Overview

Starting Avi Vantage 16.2.3, while creating the AWS cloud-type, you have a new option of Use Cross-Account AssumeRole, which can be enabled if the AWS cloud needs to be created in an AWS account other than the one that hosts the Avi Controller. From the UI, the feature can be enabled using a simple check box, as shown below.

Avi Vantage AWS Cross Account AssumeRole Support

Configuration

Referring to the below diagram, consider a hypothetical organization XYZ Corp with multiple AWS account IDs:

  • IT – 123456789012
  • Prod – 112233445566
  • Training – 111122223333

Avi Vantage AWS Cross Account AssumeRole Support   Prior to Avi Vantage 16.2.3, XYZ Corp would require an Access Key ID and Secret Access Key to create Avi Vantage Service Engine cloud in AWS for each account. Sharing the AWS access keys for respective accounts would be a security concern with this. In addition to this, it would be cumbersome to track all the keys and update them. Instead you can now use AWS IAM Roles in every account, that provides access to the AWS resources or API access across AWS accounts. These can be dynamic.

AWS Configuration

The prerequisite configuration is done in AWS to set up the IAM user or roles to access other accounts using AWS Security Token Service (STS) AssumeRole.

AWS accounts require access to AWS resources or APIs. In this example, Avi Controller is hosted in the IT account (AWS account id – 123456789012) and the Avi Service Engine cloud provides data path services in the Prod account (AWS account id – 112233445566).
Use the account IDs and resource ARNs that are applicable to your environment, while following this guide.

Cross-account setup is explained in the AWS tutorial at the link here.

STEP-1: Create a Role

In Prod account we need to set up the Prod-Xacc-Access role which will be a cross-account role.

  1. Navigate to IAM > Roles and click on Create New Role. Avi Vantage AWS Cross Account AssumeRole Support

  2. Select Role for Cross-Account Access and select Provide access between AWS accounts you own. Avi Vantage AWS Cross Account AssumeRole Support

  3. Enter the AWS account ID of the AWS account which can assume this role. In this example, it is the IT account (AWS account ID – 123456789012). You may choose Require MFA based on your requirement. Avi Vantage AWS Cross Account AssumeRole Support

  4. Select the policies required by the Prod-Xacc-Access role to create the Avi SE for providing Avi Vantage functionality. The required policies attached to this role in this reference section are AviController-EC2-Policy, AviController-IAM-XAccess-Policy, AviController-R53-Policy, AviController-S3-Policy. Avi Vantage AWS Cross Account AssumeRole Support

  5. Complete the creation of Prod-Xacc-Access role by reviewing it and click on Create Role submit icon. Avi Vantage AWS Cross Account AssumeRole Support

To summarize, for Prod-Xacc-Access role the role ARN will be displayed as arn:aws:iam::112233445566:role/Prod-Xacc-Access. Ensure that the format is: arn:aws:iam::account-id:role/role-name.

STEP-2: Grant Access to the Role

Now that the Prod-Xacc-Access is setup in the Prod AWS account (112233445566), any user or role in the IT AWS account (123456789012) will be able to assume the role with appropriate configuration, as explained in the steps given below.

We need to create the IT-AviController-Role role in the IT AWS account (123456789012) to assume the role of Prod-Xacc-Access in the Prod AWS Account (112233445566). This is the role to which the Avi Controller instance will be attached.

Create the policy Cross-Account-AssumeRole-policy, which will be attached to the IT-AviController-Role role.

  1. Navigate to IAM > Create Policy > Step 1: Create Policy and select Create Your Own Policy. Avi Vantage AWS Cross Account AssumeRole Support

  2. Configure the policy with sts:AssumeRole action and provide the resource reference for Prod-Xacc-Access role’s ARN, which in this example is arn:aws:iam::112233445566:role/Prod-Xacc-Access. Click on Create Policy to save the policy. Avi Vantage AWS Cross Account AssumeRole Support

    For attaching multiple accounts, use the following policy syntax:

    
       
         {
     "Version": "2012-10-17",
     "Statement": [
        {
            "Effect": "Allow",
            "Action": "sts:AssumeRole",
            "Resource": "arn:aws:iam::<ACCOUNT-ID1>:role/<Role-Name-1>"
        },
        {
            "Effect": "Allow",
            "Action": "sts:AssumeRole",
            "Resource": "arn:aws:iam::<ACCOUNT-ID1>:role/<Role-Name-2>"
        },
        {
            "Effect": "Allow",
            "Action": "sts:AssumeRole",
            "Resource": "arn:aws:iam::<ACCOUNT-ID2>:role/<Role-Name>"
        }
    ]
     }
     
  3. Navigate to IAM > Create Role > Step 1: Set Role Name and provide the role name IT-AviController-role.
    Avi Vantage AWS Cross Account AssumeRole Support

  4. Select AWS Service Roles and select Amazon EC2 as the role type.
    Avi Vantage AWS Cross Account AssumeRole Support

  5. Under Attach-Policy, select the Cross-Account-AssumeRole-Policy created earlier and also the AviController-EC2-Policy which is required for the Controller’s internal operations.
    Avi Vantage AWS Cross Account AssumeRole Support

Complete the role creation and verify if both policies are now attached. Avi Vantage AWS Cross Account AssumeRole Support

Avi Vantage Configuration Steps

After completing the prerequisite setup, you can configure the IAM role for Avi Controller as IT-AviController-Role by following the steps mentioned in AWS Installation Guide. Skip the cloud creation steps and choose No Orchestrator during the set up. Ensure that the VPCs and subnets are configured in AWS, so that Avi Controller management interface and Service Engine’s management networks will be reachable from other accounts.

  1. Create the AWS cloud by navigating to Infrastructure > Clouds and click on Create. Avi Vantage AWS Cross Account AssumeRole Support

  2. Choose the appropriate region and select the checkbox for Use AWS Identity and Access Management (IAM) roles. This will ensure that the IT-AviController-Role is attached to the Avi Controller when it is launched. Avi Vantage AWS Cross Account AssumeRole Support

  3. Select the checkbox for Use Cross-Account AssumeRole, if the cloud has been setup in another AWS account. However, in our case, the Avi SE cloud is created in the Prod AWS account (112233445566) from the Avi Controller hosted in IT AWS account (123456789012).

    As the cross-account AssumeRole has already been setup for IT-AviController-Role, on selecting the checkbox, the back-end APIs will fetch the associated AssumeRole accounts and their roles and display them in the drop-down list.
    If there were no AssumeRoles attached, then the list would have been empty. There would be a text box that can be used to enter the ARN of the role for which the Avi Controller instance’s IAM role (in our case, IT-AviController-Role) can assume the role.

  4. Select the ARN for the account and role, where the SE targets will be deployed. Avi Vantage AWS Cross Account AssumeRole Support

  5. If the role has appropriate access and is correctly setup, Avi Controller will fetch the AWS account details and configuration’s VPC networks. Similarly, this will continue for the older SE AWS cloud setup. Unddeedetitled copy

  6. Cloud setup will progress and the Avi SE AMI will be copied to the target account. Avi Vantage AWS Cross Account AssumeRole Support

  7. Once the transfer completes, the cloud status will move to Cloud ready for Virtual Service placement. 222

  8. Virtual services can now be configured on this cloud by following the steps mentioned at Create a Virtual Service.

References

  1. AWS IAM – https://aws.amazon.com/iam/
  2. AWS IAM Roles – http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html
  3. AWS IAM AssumeRole – http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_common-scenarios_aws-accounts.html
  4. AWS Delegating API access using IAM Roles – https://aws.amazon.com/blogs/aws/delegating-api-access-to-aws-services-using-iam-roles/
  5. AWS IAM Tutorial on Delegate Access across AWS accounts using IAM Roles – http://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html
  6. AviController-EC2-Policy and AviController-R53-Policy are referenced in the IAM role setup guide.

  7. AviController-IAM-XAccess-Policy

    
     {
     "Version": "2012-10-17",
     "Statement": [
         {
             "Sid": "Stmt1450417666000",
             "Effect": "Allow",
             "Action": [
                 "iam:GetPolicy",
                 "iam:GetPolicyVersion",
                 "iam:GetRole",
                 "iam:GetRolePolicy",
                 "iam:ListAttachedRolePolicies",
                 "iam:ListPolicies",
                 "iam:ListRolePolicies",
                 "iam:ListRoles",
                 "iam:ListAccountAliases",
                 "iam:ListAttachedUserPolicies",
                 "iam:ListAttachedGroupPolicies",
                 "iam:GetUserPolicy",
                 "iam:GetGroupPolicy",
                 "iam:ListUserPolicies",
                 "iam:ListgroupPolicies"
             ],
             "Resource": ["*"]
         }
     ]
     }
     
  8. AviController-S3-Policy

    
     {
     "Version": "2012-10-17",
     "Statement": [
         {
             "Sid": "Stmt1450394113000",
             "Effect": "Allow",
             "Action": [
                 "s3:AbortMultipartUpload",
                 "s3:CreateBucket",
                 "s3:DeleteBucket",
                 "s3:DeleteObject",
                 "s3:GetBucketLocation",
                 "s3:GetBucketTagging",
                 "s3:GetObject",
                 "s3:ListAllMyBuckets",
                 "s3:ListBucket",
                 "s3:ListBucketMultipartUploads",
                 "s3:ListMultipartUploadParts",
                 "s3:PutBucketTagging",
                 "s3:PutObject"
             ],
             "Resource": [
                 "*"
             ]
         }
     ]
     }