How to Configure Cross-Account Access for an IAM User in AWS?
Phil
In this tutorial, we'll walk through the steps to configure cross-account access for an IAM user in AWS. Our scenario is that we have an IAM user with administrator access. We've created another IAM user Paul, who doesn't have any permissions to access resources. However, we want Paul to be able to switch roles and access resources in the administrator account. Let's dive in!
Step 1: Create a Role in Administrator Account
1) Sign in to the AWS Management Console as the administrator.
2) Open the IAM console and in the left navigation pane, click on "Roles" and then click the "Create role" button.
3) Select "AWS Account" as the Trusted entity type. Since Paul is in the same account, select "This account" to allow entities and click on Next.
4) Add permissions for Paul. You can add existing policies or create custom policies. For this tutorial, we will go with existing policies. As you can see in the image, we have attached "AmazonEC2FullAccess" which provides full access to EC2 resources. This means Paul can launch and manage EC2 resources. Click on "Next".
5) Type the Role name and Description, and then click "Create role".
Step 2: Configure the trust policy
1) Click on the role you just created (In this tutorial we created a role and named it as EC2accessforPaul) and then click on "Trust relationships".
2) Click on Edit the trust policy by adding a principal. Select "IAM users" for Principal Type and enter Paul's account ID and Username in the ARN field. Click "Update Policy".
Step 3: Switch the Role in the AWS Management Console
1) Log in to the "Paul" account. As shown in the image below, Paul is receiving an API error because he does not have the necessary permissions to access the resources.
2) Click on Paul's username in the top right corner, and then click on "Switch Role" in the dropdown menu.
3) Enter the Administrator's 12-digit AWS account ID and the name of the role you created in the Administrator's account which is "EC2accessforPaul" for this tutorial. Click on "Switch Role".
4) As shown in the image below, you have successfully logged in to the administrator account using the switch role tool and can confirm that there are no API errors in our EC2 resources. Now, you can launch instances and manage the EC2 resources according to your preferences because the administrator account has given you EC2Full access, which we set up in Step 1.
I appreciate you reading this guide and hope it has been informative and useful for you.
Subscribe to my newsletter
Read articles from Phil directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by
Phil
Phil
Hello and welcome to my blog! I am a passionate professional with a diverse background in Quality Assurance (QA) and System Engineering, and I am currently working as an AWS Engineer. While my experience in AWS spans a relatively short period, my enthusiasm for Cloud Technology is unwavering. Throughout my career, I have gained hands-on experience in a wide range of AWS services, both through my professional work and dedicated self-study. This practical exposure has provided me with valuable insights and deepened my understanding of leveraging AWS to build robust and scalable solutions. On this blog, I aim to share my experiences, insights, and practical guidance on AWS services and their application in real-world scenarios. Whether you are a cloud enthusiast, an aspiring AWS professional, or someone simply looking to deepen your understanding of cloud technology, I invite you to join me on this exciting journey. Thank you for visiting my blog, and I look forward to connecting and engaging with you as we delve into the world of AWS and cloud technology.