« Back to overview
Managing multiple AWS accounts for your clients and switching all the time?
Then you might want to use the 'switch role' feature to quickly switch between accounts from within your master account.
MY_ACCOUNT: this is you, who wants to quickly switch to multiple client's accounts
CLIENT_ACCOUNT: the account of the client
Prerequisites:
IAM User ARN:
You have an IAM user in MY_ACCOUNT that you want to give access to CLIENT_ACCOUNT by switching roles.
Copy the arn and have it ready
Step 1: configure the CLIENT_ACCOUNT
In the client's account (you need to be signed in as a user with sufficient privileges),
- Go to 'roles' and click 'Create Role'
- Select type of trusted entity: select 'Another AWS account'
- Specify the CLIENT_ACCOUNT_ID (enabling 'Require MFA' did not work for me and resulted in errors)
Click next, then you need to attach one or more 'Service Policies' (permissions) to the role you are going to create.
This can be simply 'ReadOnlyAccess', 'AdminAccess' or a policy you created yourself (i.e. MyLeadDevelopersPolicy).
Then, 'tags' - add as required.
In the last step, provide an adequate role name. To distinguish the roles I created myself from automatically created roles, or roles managed by AWS, I always name my roles in lowercase with a prefix of the client.
In this case my name would be:
clientaccountprefix-access-myaccount
It's also good practice to provide an adequate description:
This role gives access to the external account of 24hoursmedia to manage resources / created by youremailaddres
Click create role, but we are not ready yet.
Modify the trust relationship
Click on the newly created role to edit, select 'Trust relationships' nad click 'Edit Trust Relationship'.
You'll see the arn of 'root' mentioned, but we do not want this - we want to give a specific iam user in MY_ACCOUNT access.
Replace the 'Principal/AWS' key value with the ARN of the IAM user, so it looks like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::MY_ACCOUNT_ID:user/MY_IAM_USER_IN_MY_ACCOUNT"
},
"Action": "sts:AssumeRole",
"Condition": {}
}
]
}
For the next stape, have the ARN of the role at hand:
Role ARN:
You've just created a role in CLIENT_ACCOUNT that provides the permissions to your IAM user.
Copy the arn and have it ready.
Step 2: Configure MY_ACCOUNT
You need to modify the policy of the IAM user in MY_ACCOUNT (i.e. YOU), so the user is allowed to switch to the CLIENT_ACCOUNT.
In MY_ACCOUNT, go to IAM users. We are going to give a specific user access.
Click on the user and select 'add inline policy'.
Add the policy below and give the policy an appropriate name (something like external-account-access - you can add multiple statements for multiple accounts).
Substitute the role arn with the arn you have available.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PermissionToAssumeRolesInMYCLIENTACCOUNTPREFIX",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::CLIENT_ACCOUNT_ID:role/CLIENT_ACCOUNT_PREFIX-account-MY_ACCOUNT"
}
]
}
Test and switch roles
You can now test by switching roles from the account menu in AWS at the top.
The first time, you have to have supply the CLIENT_ACCOUNT_ID and the role name (the last part of the role arn, i.e. CLIENT_ACCOUNT_PREFIX-account-MY_ACCOUNT).
Afterwards, you can quickly switch in the remembered roles in the account dropdown.
Also see:
- Amazon EFS as a file system for application servers
- AWS EC2 on demand and spot prices compared
- Force files and subdirectories to have a specific owner and group
- PHP script to log server load (top, ps aux) into files for a period of time
- Protect S3 buckets from deletion
- AWS Cheatsheet
- Docker cheatsheet
- Docker memcached-alpine on AWS Docker/fargate
- Bash script to login into a docker container by it's name
- Backup script for lightsail instance to S3