the goal
I'm trying to follow https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html to have a single IAM user capable of accessing both my gov and commercial account.
I chose to have a user in the gov account be the principal capable of assuming the role with the permissions policies I need in the commercial account, and I'm getting the error:
error
Failed to create role mysuperrolename.
Invalid principal in policy: "AWS":"arn:aws-us-gov:iam::11111111111:user/theusername"
role in the commercial account
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws-us-gov:iam::11111111:user/theusername"
},
"Action": "sts:AssumeRole"
}
]
}
I attached some permissions policies to the role, but that's not related to the error.
things I've tried
I have a feeling this is due to the Government cloud. Can anyone assist, or has anyone had this problem? I tried changing aws-us-gov
to just aws
in the ARN above, to no avail.
I get the same error if I just use the account number of the gov account (111111111), instead of the particular user, as the Principal.
Any help would be greatly appreciated, as my ability to not have multiple IAM users for all my services depends on this.
CodePudding user response:
AWS GovCloud Regions and AWS commercial Regions are in different AWS partitions and are isolated from each other. So using IAM like this is not possible.
EDIT: found this in the docs:
Partitions
AWS groups Regions into partitions. Every Region is in exactly one partition, and each partition has one or more Regions. Partitions have independent instances of AWS Identity and Access Management (IAM) and provide a hard boundary between Regions in different partitions. AWS commercial Regions are in the aws partition, Regions in China are in the aws-cn partition, and AWS GovCloud Regions are in the aws-us-gov partition. Some AWS services are designed to provide cross-Region functionality, such as Amazon S3 Cross-Region Replication or AWS Transit Gateway Inter-Region peering. These types of capabilities are only supported between Regions in the same partition. You cannot use IAM credentials from one partition to interact with resources in a different partition.