How to Access cross Account using IAM role in AWS

business code coding computer
Reading Time: 3 minutes

What is cross-account in AWS?

You can use AWS Identity and Access Management (IAM) roles and AWS Security Token Service to set up cross-account access between AWS accounts. 

When you assume an IAM role in another AWS account to obtain cross-account access to services and resources in that account. 

What is IAM role?

  • IAM Stands For Identity and Access Management.
  • It is a service that help you securely control access to the aws resources. You can use IAM to control who is authenticated (signed-in) and authorized (has permission) to the resources.

Prerequisites:

  • Two AWS accounts that you can use, one is represent the Development account, and one is represent the prod account.

Create an IAM role in Account A:

  • login to the account A
  • Create one user and save the url and the credentials of user(console sign in url) that use in next time user login.
  • Attach policy to the user ec2 readOnlyAccess
  • Click on the group Inside the permission and provide the inline policy:
  • Select the Security token service(STS).
  • service –> Assume role
  • Click and apply the Inline policy

Using account B:

  • Login to the Account B.
  • Create one S3 Bucket.
  • Create role And use the another AWS Account role Create
  • Insert the Account ID of the AccountA.
  • Attach policy –> s3 readOnlyAccess
  • And provide the role name ex- s3role And save the role name that is used in next time.
  • In roles –> trusted policy edit
  • And paste ARN(amazon resource name) of the Account A.
  • you have access s3 through the Account A arn user.
  • And you can test the role using the user login.

Test Switch the role:

  • login to the user-1 through the https url which provide that time you create user(console sign in url)
  • https://##########.signin.aws.amazon.com/console.(### –> account ID).
  • After the login the user console.
  • Right side corner choose the Switch role
  • And Switch the role that you have already defined it (like s3read).
Switch role
  • After Switch Role.
  • you successful login, you should see the new Assume Role at the top right of the main menu.
  • Now use the menu bar at the top, click Services, and then click s3.
  • And verify that the s3 bucket of Account B are accessible or the same.

All the same buckets thats are present in the account B and in the Switch role.

https://aws.amazon.com/blogs/security/how-to-enable-cross-account-access-to-the-aws-management-console/