How to enable cross-account IAM access using AWS console

How to enable cross-account IAM access using AWS console

Share Now
3 min read

Today we are going to learn about the Steps to enable cross-account IAM access using AWS console. Or the question may arise how to enable cross account access in aws.

We would get these answers right here, as you all know – AWS or amazon web services is a widely accepted public cloud, it is being trusted by many established companies as their cloud partner. There are multiple benefits of migrating the in-house data centres into AWS.

Consider a situation, where you or your company is appointed to manage and maintain your customer AWS account, but ensure the customer won`t provide you with the full console access, in that situation you can suggest the customer about the cross-account role.

Steps to enable cross-account IAM access using AWS console:

Now, lets take the below use-case and understand that better.

Imagine that you have two AWS accounts, which we’ll refer to as Prod and Dev. You want to give IAM users in the Dev account temporary and limited access to the Prod account via the console.

Few AWS terminology:

  1. Customer account (Prod) is the Trusting Account
  2. Your account (Dev) is the Trusted Account

Need to have few information handy

Make a note of the Dev Account number (Trusted). For this example, we are considering that as “123456789012”

Task 1: Create an IAM role in the Prod account (Trusting Account)

Create an IAM role in the Prod account (Trusting Account) | Liainfraservices

And when you set permissions, choose the PowerUserAccess policy template. This lets users from the Dev account work with all services in the Prod account except IAM. For example, they won’t be able to change the permissions for the role they’re assuming, and they won’t be able to create new users or roles.

Put the name and fill details as needed. Notice the Dev Account is showing as trusted account.

Create Role | Liainfraservices

Make a note of the Role ARN (Very important), it should be arn::aws::iam::trusting_ac:role/role_name

Now login to the Dev (Trusted) AWS account.

Select policy > Get started > Create Policy> policy Generator

Edit Permissions | Liainfraservices

Add the ARN for Role that was created on the Trusting account. Click on “Add Statement”.

ARN | Liainfraservices

Assign that Policy to the user or group who would like to have access to the prod account resources.

Edit the permissions for a user (or group of users) to let them sign-in to the Prod account and grant sts: AssumeRolepermissions. As the resource for the action, specify the ARN of the CrossAccountSignin role you created earlier. Here’s an example of a policy that you can attach to a user or group:


  “Version”: “2012-10-17”,

  “Statement”: [{

“Effect”: “Allow”,

“Action”: [“sts:AssumeRole”],

    “Resource”: “arn:aws:iam::Prod-account-ID:role/CrossAccountSignin”



Switch Role between the User & Dev Account:

Now the user from Dev Account can log-in to his own AWS account and use “Switch Role” feature to switch to the Prod account.

Switch Role | Liainfraservices

Lia Infraservices – are the pioneers in delivering a Streamlined Cloud Migration Experience from any premises to cloud and vice-versa. Help you move your business forward with Improved Agility. Just with Lowers Errors & at affordable Costs. Unlock New Revenue Opportunities with controlled access using AWS Identity and access management.

How useful was this post?

Click on a star to rate it!

Average rating 0 / 5. Vote count: 0

No votes so far! Be the first to rate this post.

Leave comment

Your email address will not be published. Required fields are marked with *.