0

I am trying to create a route53 recordset from Account1 in Account2.

From reading other posts and online search I am thinking of doing something like this: 

from boto3 import Session

session = Session(aws_access_key_id=*****,aws_secret_access_key=****,region_name='us-east-1')
r53_client = session.client('route53')
r53_resource = session.resource('route53')

Want to know from someone experienced if this is the right way to do this? Or is there a better way to achieve above?

Here is updated code:

def lambda_handler(event, context):
    sts = boto3.client('sts')
    response = sts.assume_role(
        RoleArn='arn:aws:iam::***123:role/lambda',
        RoleSessionName='my-random-session-name',
        DurationSeconds= 900 # how many seconds these credentials will work
    )

    tempAccessKeyId = response['Credentials']['AccessKeyId']
    tempSecretAccessKey = response['Credentials']['SecretAccessKey']
    tempSessionToken = response['Credentials']['SessionToken']

    client = boto3.client('route53', 
                  region_name = 'us-west-2',
                  aws_access_key_id=tempAccessKeyId,
                  aws_secret_access_key=tempSecretAccessKey,
                  aws_session_token=tempSessionToken)


    response = client.list_resource_record_sets(
    HostedZoneId='***',
    StartRecordName='test.example.com.',
    StartRecordType='A'
    )

    print(response)
NoviceMe
  • 3,126
  • 11
  • 57
  • 117

2 Answers2

1

Based on the fact that you are doing this from an AWS Lambda function, the most secure way to do it would be:

  • In Account 1:
    • Create an IAM Role (Role 1) that will be used by the Lambda function
    • Assign permissions to the role that allows it to assume Role-2
    • Also assign any other permissions the Lambda function requires (you would normally add the AWSLambdaBasicExecutionRole managed policy to allow logging)
    • Assign Role 1 to the Lambda function
  • In Account 2:
    • Create an IAM Role (Role 2) with trust permissions that allows Role 1 in Account 1 to assume it
    • Grant Role 2 appropriate permissions to use Amazon Route 53

In your Lambda code, you would call AssumeRole() on Role 2. This will provide a set of temporary credentials that can be used to access Account 2 (as per your code, above).

See: Switching to an IAM Role (AWS API) - AWS Identity and Access Management

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
  • I did as you suggested. Please see attached in question. But I am still getting error: An error occurred (AccessDenied) when calling the operation: User: arn:aws:sts::***:assumed-role/** is not authorized to access this resource – NoviceMe Nov 08 '19 at 04:40
  • Which line is giving the error? It is probably because `Role 2` has not been granted the appropriate permissions for Route 53. What permissions are in that role? – John Rotenstein Nov 08 '19 at 04:58
  • It says - An error occurred (AccessDenied) when calling the ListResourceRecordSets operation: User: arn:aws:sts::***:assumed-role/ is not authorized to access this resource. Role 1 lambda function has all route53 access. Role 2 has all route 53 access and account 1 added to it. – NoviceMe Nov 08 '19 at 05:07
  • Do I need to attach route53 role I created to lambda function somehow if I am running it locally? – NoviceMe Nov 08 '19 at 05:08
  • Thanks a lot! I figured it out. Will update code above that is wrong. – NoviceMe Nov 08 '19 at 05:33
0

To make an API call to an AWS account, you either need credentials from that AWS account (eg credentials associated with an IAM User), or you need the ability to assume an IAM Role in that account.

So, in your example, if the credentials being provided belong to Account2, then you will be able to make API calls to Account2 (if that IAM User has been granted the necessary Route 53 permissions).

If you are frequently moving between accounts, you can instead specify a profile, which retrieves a different set of credential from the credentials file.

See: python - How to choose an AWS profile when using boto3 to connect to CloudFront - Stack Overflow

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
  • I am trying to do this through a lambda so I dont think profile will work. So you suggest assume role is best way to go? – NoviceMe Nov 08 '19 at 03:20