How to Configure Cross-Account Access for an IAM User in AWS?
Step-by-Step Guide to Setting Up Cross-Account Access for an IAM User in AWS
In this tutorial, we'll walk through the steps to configure cross-account access for an IAM user in AWS. Our scenario is that we have an IAM user with administrator access. We've created another IAM user Paul, who doesn't have any permissions to access resources. However, we want Paul to be able to switch roles and access resources in the administrator account. Let's dive in!
Step 1: Create a Role in Administrator Account
1) Sign in to the AWS Management Console as the administrator.
2) Open the IAM console and in the left navigation pane, click on "Roles" and then click the "Create role" button.
3) Select "AWS Account" as the Trusted entity type. Since Paul is in the same account, select "This account" to allow entities and click on Next.
4) Add permissions for Paul. You can add existing policies or create custom policies. For this tutorial, we will go with existing policies. As you can see in the image, we have attached "AmazonEC2FullAccess" which provides full access to EC2 resources. This means Paul can launch and manage EC2 resources. Click on "Next".
5) Type the Role name and Description, and then click "Create role".
Step 2: Configure the trust policy
1) Click on the role you just created (In this tutorial we created a role and named it as EC2accessforPaul) and then click on "Trust relationships".
2) Click on Edit the trust policy by adding a principal. Select "IAM users" for Principal Type and enter Paul's account ID and Username in the ARN field. Click "Update Policy".
Step 3: Switch the Role in the AWS Management Console
1) Log in to the "Paul" account. As shown in the image below, Paul is receiving an API error because he does not have the necessary permissions to access the resources.
2) Click on Paul's username in the top right corner, and then click on "Switch Role" in the dropdown menu.
3) Enter the Administrator's 12-digit AWS account ID and the name of the role you created in the Administrator's account which is "EC2accessforPaul" for this tutorial. Click on "Switch Role".
4) As shown in the image below, you have successfully logged in to the administrator account using the switch role tool and can confirm that there are no API errors in our EC2 resources. Now, you can launch instances and manage the EC2 resources according to your preferences because the administrator account has given you EC2Full access, which we set up in Step 1.
I appreciate you reading this guide and hope it has been informative and useful for you.