DEV Community

AWS Community Builders profile image Bachar Hakam
Bachar Hakam for AWS Community Builders

Posted on • Updated on

How to create an AWS Cross-Account Access? (A Step-by-Step Guide)

#cloudformation #devops #awscrossaccount #shareawsaccount

Image description

We usually use multiple accounts when configuring a new or existing AWS environment, which could require cross-account access between those accounts. We could use the AWS Resource Manager to share some resources between the accounts. Alternatively, we can create a cross-account role to be assumed by users in another account to access more resources with higher permissions.

This article will demonstrate how to set up cross-account access between 2 accounts (Alice & Bob) using either AWS Management Console or CloudFormation stack.

Cross Account Setup

Using the accounts Alice and Bob as an example, Bob requests administrator access to Alice's account.
To begin, we'll create an Administrator role for account Alice that account Bob will use. The next step is to switch to account Bob so that user Bob can set up an inline policy allowing them to take on this new role in account Alice.

NOTE: It would be better to use a role with the least privilege permissions as per the best practice, but for the sack of simplicity we will use the Administrator access role policy in this article. In a real-world scenario, the policy should only have the necessary permissions for each user based on the use case.

Step 1: Account Alice - Administrator Role

Option-1: Using AWS Management Console

  • Go to The AWS IAM console inside Account Alice
  • Create a new role
  • Select Another AWS account then add Bob's account ID
  • Attach the required policy, in this example "AdministratorAccess"
  • Enter the name of the role "SwitchAccountBobAdminRole"
  • Select Create role

Option-2: Using AWS CloudFormation stack

  • Download the CloudFormation template CrossAccountRole-admin.yaml
  • Edit the template to update the Default value of the AccessToAccountId under Parameters
  • Replace ACCOUNT-B-ID with an actual AWS account ID "in this case account Bob"

Default: 'ACCOUNT-B-ID'

  • Go to AWS CloudFormation console
  • Click on Create stack (Standard)
  • Select Upload a template file then upload the updated template and click Next
  • Type the Stack name
  • Click on Next
  • Review the stack, select I acknowledge that AWS CloudFormation might create IAM resources. then click on submit

Step 2: Account Bob - Assume Role Policy

Option-1: Using AWS Management Console

  • Go to AWS IAM console
  • Select Policy then create a new policy
  • use the following json policy and change the relevant details (role ARN created previously) 
{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Action": "sts:AssumeRole",
    "Resource": "arn:aws:iam::<AlicAccount-id>:<RoleName>"
  }
}
Enter fullscreen mode Exit fullscreen mode
  • Enter the name of the policy "Alice-Account-AssumeRole"
  • Select Create policy
  • Attach the policy to user Bob

Option-2: Using AWS CloudFormation stack

  • Download the CloudFormation template AssumeRolePolicy-Bob.yaml
  • Edit the template to update the following values
    • Rename the policy name as required

PolicyName: BobAssumeRoleFromAccountAlice

  • Replace ACCOUNT-ALICE-ID with an actual account ID

Resource: arn:aws:iam::ACCOUNT-ALICE-ID:role/CrossAccountAdminRole

  • Replace Bob with the actual username in the second account

    UserName: Bob

    • Go to AWS CloudFormation console
    • Click on Create stack (Standard)
    • Select Upload a template file then upload the updated template and click Next
    • Type the Stack name
    • Click on Next
    • Review the stack, select I acknowledge that AWS CloudFormation might create IAM resources. then click on submit

Test & Verify

Now that the new role has been created in the first account (Account Alice) and you have attached the AssumeRole policy to the User inside the second account (Account Bob). You can verify that Bob can access Alice account by following these steps:

  • Log in to Account Bob
  • Click on the account ID at the top right
  • Click Switch role
  • Type the account ID of the other account (Account Alice)
  • Type the role name you have created in (Account Alice) "in this example we used CrossAccountAdminRole"
  • Type the display name, chose a color then click Switch Role

You should be able to access the other account (Account Alice) successfully then return back to (Account Bob) by clicking on the account ID on the top right then select Switch back

Conclusion

To sum up, using AWS cross-account features helps different AWS accounts work together by sharing resources and access. This article showed how to do this with a simple example involving two accounts, Alice and Bob. By creating roles and policies, we made sure Bob could easily access and work in Alice's account. This approach makes it easier for different accounts to collaborate securely, which is important for complex setups in AWS.

Top comments (0)

Read next

rahmantheman profile image

Enhance Your Web Protection: AWS WAF Essentials

Rahman Badru -

thomastaylor profile image

Applying event filters to AWS Lambda Functions with the AWS CDK

Thomas Taylor -

saranshk profile image

Node.js 20.6 adds built-in support for .env files

saransh kataria -

epakconsultant profile image

AWS DevOps — Configuring IAM for DevOps Role with Restricted Access

sajjad hussain -