New – Cross-Account Access in the AWS Management Console
Many AWS customers use separate AWS accounts (usually in conjunction with Consolidated Billing) for their development and production resources. This separation allows them to cleanly separate different types of resources and can also provide some security benefits.
Today we are making it easier for you to work productively within a multi-account (or multi-role) AWS environment by making it easy for you to switch roles within the AWS Management Console. You can now sign in to the console as an IAM user or via federated Single Sign-On and then switch the console to manage another account without having to enter (or remember) another user name and password.
This feature is built around IAM roles. As you may recall, roles allow you (or your AWS administrator) to define a set of permissions to access some AWS resources. The roles are not attached to a particular IAM user or group. Instead, applications or services can programmatically assume a role by requesting temporary security credentials and using them to make AWS requests.
I’m going to cover this feature from the user’s point of view. Another post on the AWS Security Blog will take a look at it from the administrator’s point of view.
Cross-Account Access in Action
Let’s assume that my administrator has set up a pair of IAM roles, creatively named Development and Production. I sign in to the Console as usual:
When I click on my user name I see that there’s a new Switch Role option:
When I choose it, the Console provides a handy summary of this new feature:
It also lets me enter the information needed to switch roles (they can be from the same AWS account or different AWS accounts). The Display Name is auto generated based on the Account and the Role but can be customized as desired:
After I do this, the Console assumes the new role (Production in this case). Note that the menu is highlighted with the color that I chose to associate with the role:
In order to simplify the process of switching to a new role, the IAM Console will create a customized role-switching URL for any role that enables cross-account access:
Activating this URL initiates the role-switching process and allows me to make the same customizations that I described earlier.
I can switch to the role of my choice (the Console will remember up to five roles). I can also switch back to the identity that I used to sign in to the Console:
You will need to set up the proper IAM roles and groups in order to make use of this feature. After you decide exactly what you want to do (always important when working with accounts and permissions), you can implement this feature in a couple of minutes.
This feature is available now and you can start using it today. To learn more, read about Cross-Account Access in the AWS Console.