How do I access resources in another AWS account using AWS IAM?

3 minute read
2

I want to assume an AWS Identity and Access Management (IAM) role in another AWS account. How do I set up cross-account access using IAM?

Short description

You can set up a trust relationship with an IAM role in another AWS account to access their resources. For example, you want to access the destination account from the source account. To do this, assume the IAM role from the source to destination account by providing your IAM user permission for the AssumeRole API. You must specify your IAM user in the trust relationship of the destination IAM role.

Note: You can also assume a role from source IAM role to destination IAM role, instead of using user to role with role chaining. Role chaining works only for programmatic access such as the AWS Command Line Interface (AWS CLI) or API. Role changing can't be used with the AWS Management Console.

Resolution

Follow these instructions to create an IAM permission policy for the source account, attach the policy to a user, and then create a role for the destination account.

Note: If you receive errors when running AWS CLI commands, make sure that you’re using the most recent AWS CLI version.

Source account

1.    Create an IAM policy similar to the following:

Note: Replace DESTINATION-ACCOUNT-ID and DESTINATION-ROLENAME with your own values.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "sts:AssumeRole"
      ],
      "Resource": [
        "arn:aws:iam::DESTINATION-ACCOUNT-ID:role/DESTINATION-ROLENAME"
      ]
    }
  ]
}

2.    Attach the IAM policy to your IAM user permissions.

Attach the created policy to your IAM user permissions by following the steps here.

Destination account

1.    Create an IAM role.

2.    Paste the custom trust policy similar to the following:

Note: Replace SOURCE-ACCOUNT-ID and SOURCE-USERNAME with your own values.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::SOURCE-ACCOUNT-ID:user/SOURCE-USERNAME"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Note: If you don’t have access to create and edit IAM roles and users, then get assistance from the account's owner to complete the process. As a best practice, grant access to your account and resources only to the entities that you trust.

You can modify this policy to allow the assumption of as many source entities to as many destination roles as needed. For example, you can change the Principal value of the destination account trust policy to "AWS": "SOURCE-ACCOUNT-ID". This allows all entities in the source account with the assume role permissions to assume the destination account role. For more information, see Specifying a principal and Creating or editing the policy.

Test your access

To test your access, follow the instructions for Switching to a role (console).

-or-

Follow the instructions for Switching to an IAM role (AWS CLI).

For more information, see IAM tutorial: Delegate access across AWS accounts using IAM roles.


Related information

How do I assume an IAM role using the AWS CLI?

I created or updated an IAM policy and received the error "Has prohibited field Principal". How can I resolve this?

How can I provide cross-account access to objects that are in Amazon S3 buckets?

Why did I receive an "AccessDenied" or "Invalid information" error trying to assume a cross-account IAM role?