From 005004eddccac4f370aac925680f21f701761cc0 Mon Sep 17 00:00:00 2001 From: Viren Nadkarni Date: Fri, 3 Nov 2023 14:33:27 +0530 Subject: [PATCH] Update cross-account docs (#886) --- content/en/references/credentials.md | 12 +++--- content/en/references/cross-account-access.md | 41 ++++++++++++++++++- 2 files changed, 47 insertions(+), 6 deletions(-) diff --git a/content/en/references/credentials.md b/content/en/references/credentials.md index 28201ff101..b83818b1de 100644 --- a/content/en/references/credentials.md +++ b/content/en/references/credentials.md @@ -5,7 +5,7 @@ categories: ["LocalStack"] tags: ["access-key-id", "secret-access-key", "account-id"] weight: 50 description: > - Credentials for accessing LocalStack services + Credentials for accessing LocalStack AWS API --- Like AWS, LocalStack requires access key IDs to be set in all operations. @@ -14,12 +14,12 @@ Values of secret access keys are currently ignored by LocalStack. Access key IDs can be one of following patterns: -### Accounts IDs +## Accounts IDs You can specify a 12-digit number which will be taken by LocalStack as the account ID. For example, `112233445566`. -### Structured access key ID +## Structured access key ID You can specify a structured key like `LSIAQAAAAAAVNCBMPNSG` (which translates to account ID `000000000042`). This must be at least 20 characters in length and must be decodable to an account ID. @@ -34,7 +34,9 @@ Disabling the access key safeguard and using production access key IDs may cause We strongly recommend leaving it on. {{< /alert >}} -### Alphanumeric string +Please refer to the [IAM docs]({{< ref "user-guide/aws/iam" >}}) to learn how to create access keys in LocalStack. + +## Alphanumeric string You can also specify an arbitrary alphanumeric access key ID like `test` or `foobar123`. -In all such cases, the account ID will be evalutated to `000000000000`. +In all such cases, the account ID will be evaluated to `000000000000`. diff --git a/content/en/references/cross-account-access.md b/content/en/references/cross-account-access.md index d077a8e6ed..81eee368ea 100644 --- a/content/en/references/cross-account-access.md +++ b/content/en/references/cross-account-access.md @@ -17,9 +17,48 @@ Cross-account support in LocalStack is being actively developed. Please report any issues on our [GitHub issue tracker](https://github.com/localstack/localstack/issues/new/choose). {{< /alert >}} +Cross-account/cross-region access happens when a client attempts to access a resource in another account or region than what it is configured with: + +{{< command >}} +# +# Create a queue in one account and region +# + +$ AWS_ACCESS_KEY_ID=111111111111 awslocal sqs create-queue \ + --queue-name my-queue \ + --region ap-south-1 +{ + "QueueUrl": "http://sqs.ap-south-1.localhost.localstack.cloud:443/111111111111/my-queue" +} + +# +# Set some attributes +# + +$ AWS_ACCESS_KEY_ID=111111111111 awslocal sqs set-queue-attributes \ + --attributes VisibilityTimeout=60 \ + --queue-url http://sqs.ap-south-1.localhost.localstack.cloud:443/111111111111/my-queue \ + --region ap-south-1 + +# +# Retrieve the queue attribute from another account and region. +# The required information for LocalStack to locate the queue is available in the queue URL. +# + +$ AWS_ACCESS_KEY_ID=222222222222 awslocal sqs get-queue-attributes \ + --attribute-names VisibilityTimeout \ + --region eu-central-1 \ + --queue-url http://sqs.ap-south-1.localhost.localstack.cloud:443/111111111111/my-queue +{ + "Attributes": { + "VisibilityTimeout": "60" + } +} +{{< /command >}} + ## Cross-Account -Resources that can be accessed across multiple accounts are always identified by their Amazon Resource Names (ARNs). +Resources that can be accessed across accounts are identified by their Amazon Resource Names (ARNs) or other schemes such as SQS Queue URLs. The full list of resources and operations that allow cross-account access are listed below. {{< alert title="Note">}}