How to enable cross-account IAM access using AWS console
Today we are going to learn about the Steps to enable cross-account IAM access using AWS console. Or the question may arise how to enable cross account access in aws.
We would get these answers right here, as you all know – AWS or amazon web services is a widely accepted public cloud, it is being trusted by many established companies as their cloud partner. There are multiple benefits of migrating the in-house data centres into AWS.
Consider a situation, where you or your company is appointed to manage and maintain your customer AWS account, but ensure the customer won`t provide you with the full console access, in that situation you can suggest the customer about the cross-account role.
Steps to enable cross-account IAM access using AWS console:
Now, lets take the below use-case and understand that better.
Imagine that you have two AWS accounts, which we’ll refer to as Prod and Dev. You want to give IAM users in the Dev account temporary and limited access to the Prod account via the console.
Few AWS terminology:
- Customer account (Prod) is the Trusting Account
- Your account (Dev) is the Trusted Account
Need to have few information handy
Make a note of the Dev Account number (Trusted). For this example, we are considering that as “123456789012”
Task 1: Create an IAM role in the Prod account (Trusting Account)
And when you set permissions, choose the PowerUserAccess policy template. This lets users from the Dev account work with all services in the Prod account except IAM. For example, they won’t be able to change the permissions for the role they’re assuming, and they won’t be able to create new users or roles.
Put the name and fill details as needed. Notice the Dev Account is showing as trusted account.
Make a note of the Role ARN (Very important), it should be arn::aws::iam::trusting_ac:role/role_name
Now login to the Dev (Trusted) AWS account.
Select policy > Get started > Create Policy> policy Generator
Add the ARN for Role that was created on the Trusting account. Click on “Add Statement”.
Assign that Policy to the user or group who would like to have access to the prod account resources.
Edit the permissions for a user (or group of users) to let them sign-in to the Prod account and grant sts: AssumeRolepermissions. As the resource for the action, specify the ARN of the CrossAccountSignin role you created earlier. Here’s an example of a policy that you can attach to a user or group:
{
“Version”: “2012-10-17”,
“Statement”: [{
“Effect”: “Allow”,
“Action”: [“sts:AssumeRole”],
“Resource”: “arn:aws:iam::Prod-account-ID:role/CrossAccountSignin”
}]
}
Switch Role between the User & Dev Account:
Now the user from Dev Account can log-in to his own AWS account and use “Switch Role” feature to switch to the Prod account.
Lia Infraservices – are the pioneers in delivering a Streamlined Cloud Migration Experience from any premises to cloud and vice-versa. Help you move your business forward with Improved Agility. Just with Lowers Errors & at affordable Costs. Unlock New Revenue Opportunities with controlled access using AWS Identity and access management.
Partho Das, founder of Lia Infraservices, has 15+ years of expertise in cloud solutions, DevOps, and infrastructure security. He provides consultation on architecture planning, DevOps setup, Kubernetes, and cloud migrations. Partho holds multiple AWS and Azure certifications, along with CISCO CCNA & CCNP.
Connect on LinkedIn