How do I manage cross account access with IAM Roles for Service Accounts?

[yorinasub17]

I'm looking at how to provide access to an S3 bucket in our shared AWS account via IRSA from our EKS clusters in dev, stage, and prod. Any advice how to relate the role ARNs in the infrastructure-live repo between the accounts? Should I generate the roles in each account then manually enter the role's ARN into role policy documents? I'm not sure what the proper mechanism is to share data between the accounts like this.

In particular, I have an EKS pod in my prod account which needs access to an S3 bucket in the prod account, and a second S3 bucket in the shared account. I have a role in prod which is setup for IRSA and provides access to a S3 bucket in the prod account, how can I write the IAM policies in the shared account to preform a cross account s3 bucket access, via role chaining, in Terraform without manually copying ARNs and OIDC identifiers around?

[yorinasub17]

The best way to address this is to allow direct access to the bucket to the prod account IAM role, using S3 bucket policies (https://aws.amazon.com/premiumsupport/knowledge-center/cross-account-access-s3/).

With that said, unfortunately, you won’t be able to get away from manually copying ARNs around, primarily because cross account output access in terragrunt is fairly tricky to implement cleanly. The best way to make this work is to make the IAM role name coded in a common data file that you import and pass to each account. Once you have that, you should be able to compute the IAM role arn used by the pod, since the IAM role arn is of the form arn:aws:iam:<ACCOUNT_ID>::role/<NAME>, where ACCOUNT_ID can be sourced from accounts.json and NAME can be sourced from the data file.