Cross-account access in AWS is a powerful feature that allows users in one AWS account to securely access resources in another. The process outlined in this manual will assist you in establishing a role that allows for cross-account access to the AWS console.

Steps to Create a Cross-Account Role

Step 1: Sign in to the AWS Management Console

  1. Open the AWS Management Console.
  2. Sign in using the credentials of the account where you want to create the role (Account A).

Step 2: Create the IAM Role

  1. Navigate to the IAM service.
  2. In the left navigation pane, select Roles.
  3. Click the Create role button.
  4. Under Select type of trusted entity, choose Another AWS account.
  5. Enter the Account ID of the account that will assume this role (Account B).
  6. (Optional) To add an extra layer of security, you can specify an external ID. This is a unique identifier that Account B must supply when assuming the role.

Step 3: Attach Policies to the Role

  1. On the Attach permissions policies page, select the policies that define the permissions you want to grant to the role. For example, you can attach the AdministratorAccess policy for full access.
  2. Click Next: Tags to add optional tags.
  3. Click Next: Review to proceed.

Step 4: Name and Review the Role

  1. Enter a Role name and an optional Role description.
  2. Review the settings and permissions.
  3. Click Create role.

Step 5: Grant Access in the Other Account

  1. Sign in to the AWS Management Console for Account B.
  2. Navigate to the IAM service.
  3. In the left navigation pane, select Roles, then select the role you created in Account A.
  4. Copy the Role ARN (Amazon Resource Name).

Step 6: Assume the Role from Account B

In Account B, create an IAM policy that allows users to assume the role in Account A. Use the following policy, replacing ROLE_ARN with the ARN of the role you copied:

{

  “Version”: “2012-10-17”,

  “Statement”: [

    {

      “Effect”: “Allow”,

      “Action”: “sts:AssumeRole”,

      “Resource”: “ROLE_ARN”

    }

  ]

}

  1. Attach this policy to the users or groups that need cross-account access.

Step 7: Accessing the Role

Users in Account B can now use the AWS Management Console to switch roles:

    • Click on the username at the top right of the AWS Management Console.
    • Select Switch Role.
    • Enter the account ID of Account A and the role name created earlier.
    • Click Switch Role.

Conclusion

By following these steps, you can easily set up cross-account access in AWS, enabling users in one account to access resources in another securely and efficiently.

References

Creating a role to delegate permissions to an IAM user

How to Enable Cross-Account Access to the AWS Management Console