All Apps and Add-ons
Highlighted

Configure multiple accounts using assume role policy?

Builder

I have been using the documentation, but AWS user permissions, groups and policies are confusing enough, to add the documentation doesn't seem very clear to me.

So on my event collector where I do all the configurations, I have the autodiscovered ec2 role for the eventcollector machine configured so it can access information in that account for the AWS app. I want to add more AWS accounts and have been following this page. http://docs.splunk.com/Documentation/AddOns/released/AWS/ConfigureAWSpermissions

It states "If the user is in a different account than the role, then the user's administrator must attach a policy that allows the user to call AssumeRole on the ARN of the role in the other account."

So if account A is the account that is working with the ec2 role tied to the event collector, do I create a user on account B and set

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "sts:AssumeRole",
      "Resource": "arn:aws:iam::ACCOUNTA:role/eventcollector"
    }
  ]
}

Then on the A Account set the role to

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::ACCOUNTB:user/splunkcollectinguser"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
0 Karma
Highlighted

Re: Configure multiple accounts using assume role policy?

Splunk Employee
Splunk Employee

In Splunk, you should add the second account using the arn for Account B "arn:aws:iam::ACCOUNTB:user/splunkcollectinguser" .

Go to your Splunk Add-on for AWS, click on Configuration then click on the IAM Role tab and click the "Add" button. Give the name to this account and paste the ARN. Now, this account will be available for you to AssumeRole and collect data from Account B.

alt text

0 Karma
Highlighted

Re: Configure multiple accounts using assume role policy?

Ultra Champion

@cuyose - Did that help? If so, you can let us know by accepting the answer (you should see a link).

0 Karma
Highlighted

Re: Configure multiple accounts using assume role policy?

New Member

Can Splunk use an External ID if it is required to assume the Role ARN for ACCOUNTB?

0 Karma
Highlighted

Re: Configure multiple accounts using assume role policy?

Splunk Employee
Splunk Employee

No, we do not support External ID for the AssumeRole function.

0 Karma
Highlighted

Re: Configure multiple accounts using assume role policy?

New Member

Thank you so much for the fast reply but it is a bit confusing.

You say "No" but then you say "we do". Did you mean "We don't support External ID for the AssumeRole function"?

0 Karma
Highlighted

Re: Configure multiple accounts using assume role policy?

Splunk Employee
Splunk Employee

Fixed my previous response to do not.

0 Karma
Highlighted

Re: Configure multiple accounts using assume role policy?

New Member

Thank you for the clarification and speedy response. Have a great day!

0 Karma
Highlighted

Re: Configure multiple accounts using assume role policy?

New Member

One last question. Can Splunk use a session token?

When I get temporary credentials it has key, access key and session token but I don't see any way to setup a connection/account using these temporary credentials since there is no where to put a session token.

Thank you in advance.

0 Karma
Highlighted

Re: Configure multiple accounts using assume role policy?

Splunk Employee
Splunk Employee

You don’t need the session token. When using the stsAssumeRole you don’t need the access or session token.

I don’t understand what you are trying to do with the session key.

0 Karma