How do I access resources in another AWS account using AWS IAM?

Last updated: 2022-08-01

I want to assume an Identity and Access Management (IAM) role in another AWS account. How do I set up cross-account access using IAM?

Short description

You can set up a trust relationship with an IAM role in another AWS account to access their resources. For example, from the source account you want to access the destination account. You can assume the IAM role from the source to destination account by providing your IAM user permission for the AssumeRole API. You must specify your IAM user in the trust relationship of the destination IAM role.

Note: You can also assume a role from source IAM role to destination IAM role, instead of using user to role with role chaining. Role chaining works only for programmatic access such as the AWS Command Line Interface (AWS CLI) or API, and can't be used with the AWS Management Console.

Resolution

Follow these instructions to create an IAM permission policy for the source account, attach the policy to a user, and create a role for the destination account.

Note: If you receive errors when running AWS CLI commands, make sure that you’re using the most recent AWS CLI version.

Source account

1.    Create an IAM policy similar to the following:

Note: Replace DESTINATION-ACCOUNT-ID and DESTINATION-ROLENAME with your own values.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "sts:AssumeRole"
      ],
      "Resource": [
        "arn:aws:iam::DESTINATION-ACCOUNT-ID:role/DESTINATION-ROLENAME"
      ]
    }
  ]
}

2.    Attach the IAM policy to your IAM user permissions.

Attach the created policy to your IAM user permissions by following the steps here.

Destination account

1.    Create an IAM role.

2.    Paste the custom trust policy similar to the following:

Note: Replace SOURCE-ACCOUNT-ID and SOURCE-USERNAME with your own values.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::SOURCE-ACCOUNT-ID:user/SOURCE-USERNAME"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Note: If you don’t have access to create and edit IAM roles and users, then you must get assistance from the owner of the other account to complete the process. As a best practice, grant access to your account and resources only to entities that you trust.

You can modify this policy to allow the assumption of as many source entities to as many destination roles as needed. For example, you can change the Principal value of the destination account trust policy to "AWS": "SOURCE-ACCOUNT-ID". This allows all entities in the source account with the assume role permissions to assume the destination account role. For more information, see Specifying a principal and Creating or editing the policy.

Test your access

To test your access, follow the instructions for Switching to a role (console).

-or-

Follow the instructions for Switching to an IAM role (AWS CLI).

For more information, see IAM tutorial: Delegate access across AWS accounts using IAM roles.