Enable Switch Role feature to access Multiple AWS Accounts

Today we’re going to demonstrate the use of switch role feature that AWS has introduced a few months back. This feature enables an IAM user to use switch role directly in AWS Management Console to access resources across multiple AWS accounts.

E.g Lets say an IAM user X of Account 1 wants to access resources associated with Account 2. In this scenario we’ll create an IAM role in Account 2 and allow Access to user X from Account 1.

Walkthrough

Let’s consider a scenario to implement this feature. Consider a user “foo” of Account 1 wants to access S3 resources owned by another account Account 2.

Step 1. Configure Account 2

a) Create a role

b) Select Role for Cross-Account Access

c) Provide Account number of user “foo” present in Account 1

d) Attach a Policy to the above role

Step 2. Configure Account 1

a) Attach the below policy to the user IAM “foo” in Account 1.

[js]

{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "Copy the ARN from role that we have created in Account 2" //
}
}

[/js]

b) Now log in to AWS Management Console for Account 1 using IAM user “foo” and Click on Switch Role.

c) This will redirect you to a page to provide the credentials for the Account 2. You need to enter the Account Number of Account 2 and the role you created in Step 1.

c) If everything works well, you will be redirected to Account 2 AWS Management Console and access the granted resources.

Leave a comment if you have any questions regarding this article.