Managing multiple AWS accounts for your clients and switching all the time?
Then you might want to use the 'switch role' feature to quickly switch between accounts from within your master account.
MY_ACCOUNT: this is you, who wants to quickly switch to multiple client's accounts
CLIENT_ACCOUNT: the account of the client
Prerequisites:
IAM User ARN:
You have an IAM user in MY_ACCOUNT that you want to give access to CLIENT_ACCOUNT by switching roles.
Copy the arn and have it ready
In the client's account (you need to be signed in as a user with sufficient privileges),
Click next, then you need to attach one or more 'Service Policies' (permissions) to the role you are going to create.
This can be simply 'ReadOnlyAccess', 'AdminAccess' or a policy you created yourself (i.e. MyLeadDevelopersPolicy).
Then, 'tags' - add as required.
In the last step, provide an adequate role name. To distinguish the roles I created myself from automatically created roles, or roles managed by AWS, I always name my roles in lowercase with a prefix of the client.
In this case my name would be:
clientaccountprefix-access-myaccount
It's also good practice to provide an adequate description:
This role gives access to the external account of 24hoursmedia to manage resources / created by youremailaddres
Click create role, but we are not ready yet.
Modify the trust relationship
Click on the newly created role to edit, select 'Trust relationships' nad click 'Edit Trust Relationship'.
You'll see the arn of 'root' mentioned, but we do not want this - we want to give a specific iam user in MY_ACCOUNT access.
Replace the 'Principal/AWS' key value with the ARN of the IAM user, so it looks like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::MY_ACCOUNT_ID:user/MY_IAM_USER_IN_MY_ACCOUNT"
},
"Action": "sts:AssumeRole",
"Condition": {}
}
]
}
For the next stape, have the ARN of the role at hand:
Role ARN:
You've just created a role in CLIENT_ACCOUNT that provides the permissions to your IAM user.
Copy the arn and have it ready.
You need to modify the policy of the IAM user in MY_ACCOUNT (i.e. YOU), so the user is allowed to switch to the CLIENT_ACCOUNT.
In MY_ACCOUNT, go to IAM users. We are going to give a specific user access.
Click on the user and select 'add inline policy'.
Add the policy below and give the policy an appropriate name (something like external-account-access - you can add multiple statements for multiple accounts).
Substitute the role arn with the arn you have available.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PermissionToAssumeRolesInMYCLIENTACCOUNTPREFIX",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::CLIENT_ACCOUNT_ID:role/CLIENT_ACCOUNT_PREFIX-account-MY_ACCOUNT"
}
]
}
You can now test by switching roles from the account menu in AWS at the top.
The first time, you have to have supply the CLIENT_ACCOUNT_ID and the role name (the last part of the role arn, i.e. CLIENT_ACCOUNT_PREFIX-account-MY_ACCOUNT).
Afterwards, you can quickly switch in the remembered roles in the account dropdown.