- Newest
- Most votes
- Most comments
We do this in the GUI with the help of a google plugin called AWS Extend Switch Roles https://github.com/tilfinltd/aws-extend-switch-roles
Please use at your own risk
This is achievable quite simply without any fancy browser addons, and by using the standard SwitchRole functionality baked into the AWS Console as long as the Source Role & Destination role is set up correctly;
Setup:
On the Source Role (The role in the account you federate into via Identity Center), make sure the permission set the user uses to login to the account is allowed to perform STS AssumeRole on the role you want to switch to in the Destination account
On the Destination account's role you have 2 options;
- Set the role trust policy to trust all principals in the Source Account;
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:root" }, "Action": "sts:AssumeRole" } ] }
NB: This will allow anybody in the SourceAccount with sts:AssumeRole permissions to assume into that role in the destination account.
- Scope down the trust policy to only trust the role which the user is logged in with. This is a bit more complicated, as you need to reference the role ARN of the source role in the trust policy. You can do this by taking the name of your permission set, for example AdministratorAccess and searching for the permission set's name in your IAM roles in the Source Account.
You should find a role that looks something like this: AWSReservedSSO_AdministratorAccess_<uniqueRandomId>
Open that role and note the ARN
Edit the above-mentioned trust policy to trust that role, for example;
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:role/AWSReservedSSO_AdministratorAccess_<uniqueRandomId>" }, "Action": "sts:AssumeRole" } ] }
Now your Source and Destination Role configuration is complete.
Note the name (not the role) of your role in the destination account. Login to your source account, go to the switch role option in the console like you would normally do, and then provide the destination role name, destination account ID & session name and switch the role
Done :)
Hope this helps.
Relevant content
- asked 7 months ago
- Accepted Answerasked 2 years ago
- AWS OFFICIALUpdated 10 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
Ahh doesn’t look bit simple, I will try it and let you know, thanks
So what I understood is , in permission set I need to mention Sts:assume role ?