« Back to overview

Managing multiple AWS accounts for your clients and switching all the time?
Then you might want to use the 'switch role' feature to quickly switch between accounts from within your master account.

MY_ACCOUNT: this is you, who wants to quickly switch to multiple client's accounts
the account of the client


You have an IAM user in MY_ACCOUNT that you want to give access to CLIENT_ACCOUNT by switching roles.
Copy the arn and have it ready

Step 1: configure the CLIENT_ACCOUNT

In the client's account (you need to be signed in as a user with sufficient privileges),

  • Go to 'roles' and click 'Create Role'
  • Select type of trusted entity: select 'Another AWS account'
  • Specify the CLIENT_ACCOUNT_ID (enabling 'Require MFA' did not work for me and resulted in errors)

Click next, then you need to attach one or more 'Service Policies' (permissions) to the role you are going to create.
This can be simply 'ReadOnlyAccess', 'AdminAccess' or a policy you created yourself (i.e. MyLeadDevelopersPolicy).

Then, 'tags' - add as required.

In the last step, provide an adequate role name. To distinguish the roles I created myself from automatically created roles, or roles managed by AWS, I always name my roles in lowercase with a prefix of the client.

In this case my name would be:

It's also good practice to provide an adequate description:
This role gives access to the external account of 24hoursmedia to manage resources / created by youremailaddres

Click create role, but we are not ready yet.

Modify the trust relationship

Click on the newly created role to edit, select 'Trust relationships' nad click 'Edit Trust Relationship'.

You'll see the arn of 'root' mentioned, but we do not want this - we want to give a specific iam user in MY_ACCOUNT access.
Replace the 'Principal/AWS' key value with the ARN of the IAM user, so it looks like this:

  "Version": "2012-10-17",
  "Statement": [
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::MY_ACCOUNT_ID:user/MY_IAM_USER_IN_MY_ACCOUNT"
      "Action": "sts:AssumeRole",
      "Condition": {}

For the next stape, have the ARN of the role at hand:

Role ARN:
You've just created a role in CLIENT_ACCOUNT that provides the permissions to your IAM user.
Copy the arn and have it ready.

Step 2: Configure MY_ACCOUNT

You need to modify the policy of the IAM user in MY_ACCOUNT (i.e. YOU), so the user is allowed to switch to the CLIENT_ACCOUNT.

In MY_ACCOUNT, go to IAM users. We are going to give a specific user access.

Click on the user and select 'add inline policy'.

Add the policy below and give the policy an appropriate name (something like external-account-access - you can add multiple statements for multiple accounts).
Substitute the role arn with the arn you have available.

    "Version": "2012-10-17",
    "Statement": [
            "Sid": "PermissionToAssumeRolesInMYCLIENTACCOUNTPREFIX",
            "Effect": "Allow",
            "Action": "sts:AssumeRole",
            "Resource": "arn:aws:iam::CLIENT_ACCOUNT_ID:role/CLIENT_ACCOUNT_PREFIX-account-MY_ACCOUNT"

Test and switch roles

You can now test by switching roles from the account menu in AWS at the top.

The first time, you have to have supply the CLIENT_ACCOUNT_ID and the role name (the last part of the role arn, i.e. CLIENT_ACCOUNT_PREFIX-account-MY_ACCOUNT).

Afterwards, you can quickly switch in the remembered roles in the account dropdown.