AWS re:Post Knowledge Center Feedback Survey

Help us improve the AWS re:Post Knowledge Center by sharing your feedback in a brief survey. Your input can influence how we create and update our content to better support your AWS journey.

How do I use IAM to access resources in another AWS account?

4 minute read

I want to set up cross-account access to an AWS Identity and Access Management (IAM) role in another AWS account.

Short description

Important: AWS recommends that you use IAM roles with temporary credentials for cross-account access instead of IAM users with long-term credentials (access keys). IAM roles provide temporary security credentials that automatically rotate, which reduces security risks associated with long-term credentials.

To access the resources in another AWS account, set up a trust relationship with an IAM role. This approach uses the AssumeRole API operation to obtain temporary security credentials.

For example, you want to access the destination account from the source account. Configure an IAM role in the source account to assume an IAM role in the destination account. For more information about cross-account access using IAM roles, see Access for an IAM user in another AWS account that you own.

Note: You can also use role chaining to assume a role from a source IAM role to a destination IAM role. Role chaining works only for programmatic access such as the AWS Command Line Interface (AWS CLI) or API. Role chaining cannot be used with the AWS Management Console.

Resolution

Note: If you receive errors when you run AWS CLI commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.

To use IAM to access resources in another AWS account, complete the following steps.

Source account

Complete the following steps:

Use the JSON editor to create an IAM policy that grants permission to assume the destination role:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "sts:AssumeRole"
      ],
      "Resource": [
        "arn:aws:iam::DESTINATION-ACCOUNT-ID:role/DESTINATION-ROLENAME"
      ]
    }
  ]
}

Note: Replace DESTINATION-ACCOUNT-ID and DESTINATION-ROLENAME with your own values.

Attach the IAM policy to the SourceRole.

Destination account

Complete the following steps:

Create an IAM role on the console.

Create a custom trust policy that allows the source account role to assume this role:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::SOURCE-ACCOUNT-ID:role/SOURCE-ROLENAME"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Note: Replace SOURCE-ACCOUNT-ID and SOURCE-ROLENAME with your own values.

Attach permissions policies to this role that grant access to the specific resources needed in the destination account.

Note: If you don't have access to create and edit IAM roles, then get assistance from the account owner to complete the process. It is a best practice to restrict access to your account and resources so that only the entities that you trust can access them.

You can modify this policy to allow the assumption of multiple source entities to multiple destination roles as needed. For example, you can change the Principal value of the destination account trust policy to "AWS": "SOURCE-ACCOUNT-ID". This allows all entities in the source account with the assume role permissions to assume the destination account role. For more information, see How to specify a principal and Creating or editing the policy.