I want to set up cross-account access to an AWS Identity and Access Management (IAM) role in another AWS account.
Short description
To access the resources in another AWS account, set up a trust relationship with an IAM role.
For example, you want to access the destination account from the source account. To assume the IAM role from the source to destination account, provide your IAM user permission for the AssumeRole API. You must specify your IAM user in the trust relationship of the destination IAM role.
Note: You can also assume a role from source IAM role to destination IAM role, instead of using user to role with role chaining. Role chaining works only for programmatic access such as the AWS Command Line Interface (AWS CLI) or API. Role changing can't be used with the AWS Management Console.
Resolution
To use IAM to access resources in another AWS account, take the following actions.
Note: If you receive errors when you run AWS CLI commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.
Source account
Complete the following steps:
-
Use the JSON editor to create an IAM policy similar to the following example:
Note: Replace DESTINATION-ACCOUNT-ID and DESTINATION-ROLENAME with your own values.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sts:AssumeRole"
],
"Resource": [
"arn:aws:iam::DESTINATION-ACCOUNT-ID:role/DESTINATION-ROLENAME"
]
}
]
}
-
Attach the IAM policy to your IAM user permissions.
Destination account
Complete the following steps:
-
Create an IAM role on the console.
-
Paste the custom trust policy similar to the following:
Note: Replace SOURCE-ACCOUNT-ID and SOURCE-USERNAME with your own values.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::SOURCE-ACCOUNT-ID:user/SOURCE-USERNAME"
},
"Action": "sts:AssumeRole"
}
]
}
Note: If you don't have access to create and edit IAM roles and users, then get assistance from the account's owner to complete the process. It's a best practice to restrict access to your account and resources so that only to the entities that you trust can access them.
You can modify this policy to allow the assumption of as many source entities to as many destination roles as needed. For example, you can change the Principal value of the destination account trust policy to "AWS": "SOURCE-ACCOUNT-ID". This allows all entities in the source account with the assume role permissions to assume the destination account role. For more information, see How to specify a principal and Creating or editing the policy.
Test your access
To test your access, follow the instructions in Switch from a user to an IAM role (console) or Switch to an IAM role (AWS CLI). For more information, see IAM tutorial: Delegate access across AWS accounts using IAM roles.
Related information
How do I assume an IAM role using the AWS CLI?
I created or updated an IAM policy and received the error "Has prohibited field Principal". How can I resolve this?
How do I grant cross-account access to objects that are in Amazon S3 buckets?
How do I resolve the "AccessDenied" or "Invalid information" error when I tried to assume a cross-account IAM role?