the goal
I’m trying to follow https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html to have a single IAM user capable of accessing both my gov and commercial account.
I chose to have a user in the gov account be the principal capable of assuming the role with the permissions policies I need in the commercial account, and I’m getting the error:
error
Failed to create role mysuperrolename.
Invalid principal in policy: "AWS":"arn:aws-us-gov:iam::11111111111:user/theusername"
role in the commercial account
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws-us-gov:iam::11111111:user/theusername"
},
"Action": "sts:AssumeRole"
}
]
}
I attached some permissions policies to the role, but that’s not related to the error.
things I’ve tried
I have a feeling this is due to the Government cloud. Can anyone assist, or has anyone had this problem? I tried changing aws-us-gov
to just aws
in the ARN above, to no avail.
I get the same error if I just use the account number of the gov account (111111111), instead of the particular user, as the Principal.
Any help would be greatly appreciated, as my ability to not have multiple IAM users for all my services depends on this.
2
Answers
AWS GovCloud Regions and AWS commercial Regions are in different AWS partitions and are isolated from each other. So using IAM like this is not possible.
EDIT: found this in the docs:
This is because AWS GovCloud Regions and AWS global cloud are two separate cloud, thus they are not connected.
Same for AWS global cloud and AWS China cloud, they are not connected as well. We have met similar things when setting AWS China resources.