AWS User Cross-Account AssumeRole

This section discusses the AWS User Cross-Account AssumeRole options available as the credential method for Avi Load Balancer deployment with AWS.

Avi Load Balancer supports deployment of Amazon Web Services (AWS) with multiple AWS accounts utilizing the IAM AssumeRole functionality.

IAM roles provide access across AWS accounts to the AWS resources/API from the respective accounts, instead of sharing user Access Key ID and Secret Access Key from different accounts.

While creating the AWS cloud-type, new option of Use Cross-Account AssumeRole is available on the Avi Load Balancer. The Use Cross-Account AssumeRole feature can be enabled if the AWS cloud needs to be created in an AWS account other than the one that hosts the Controller.

Use Case of Cross-Account Assume Role

Consider a hypothetical organization XYZ Corp with multiple AWS account IDs:

IT – 123456789012
Prod – 112233445566

Figure 1. AWS Cross-Acccount Assume Role

In a general deployment, the XYZ Corp would require an Access Key ID and Secret Access Key to create an Avi Load Balancer Service Engine cloud in AWS for each account. Sharing the AWS access keys for respective accounts would be a security concern with this.

In addition to this, it is difficult to track all the keys and update them. Instead, AWS IAM Roles can be used in every account. The IAM roles feature provides access to the AWS resources or API access across AWS accounts. These can be dynamic.

Note:

IT-AviController-Role is a limited-access role to assume a cross-role account into the Prod-Xacc-Access account.