Recently I need to manage more than 1 AWS account which it’s not under the Organization unit. In order to browse around the 2 account I may need to have 2 set of credential and keep login and logout (unless i open 2 difference browser or using incognito mode.)
Found the the cross account assume role is what can allow me to easily manage and access both account.
There are few step I need to do in order for the delegation of role to be working. Because I’m the administrator for both account, so the permission i given is the administrator access, which it’s not recommended by the AWS.
A Account – Current existing account which I already have the access
B Account – New account which I want to assume the role from
Step to follow:
- Create the role in the new account (B account) which trust the old account (A account) id
- Go to old account and create switch role on the console, enter the new account (B account) id and the role name
- Switch over to the new account
Create a new role in new account (B account)
Login to B account console, go to IAM console, than click on create role, select “Another AWS account”. Enter the account number of the old account (A account)
select the role permission for this particular role, for me test case, I created it as the administrator account, for difference use case, you may want to create a special permission for that
Create the role name for the newly created role, which the role name will be use in old account (A account) to assume the role
Assume the role from old account (A account)
Go back to old account (A account) from the top header, click on the login username, from the drop down, select “Switch Role”
On the Switch Role page, enter the new account (B account) id , role name as well as the Display name.
The role name is the one that we created in New account (B account) role name.
The display name it’s just somename that you can identify it as which account it’s refer to, in addition, you also can select the color to make the account selection more obvious.
Once click on the switch role, you should be able to see the new role appear in the drop down list. By click on the role which you want to switch over, you should see the account change to the respective account.
Once you switch over to the new account (B account, you should see the name appear on the top bar and also the selected color for the account appear.
From the drop down list, you can see the account that you login as old account (A account) and currently active as new account id (B account). You may easily switch back to your old account by click on Back to [name]
By allowing the user to switch between the account, we can easily manage more than 1 AWS account without keep login and logout to switch between. But it’s always recommended to using SSO to managed user credential for more than 1 AWS account. Because my current organization is not implementing the SSO or SAML, so which is one of the solution can ease the switch of account.
Follow up on the use case
Because these 2 account is under my country and I only need the console account to both account, if you need to allow EC2 to access to the B account (new account) than you may create the role in A account, than assume the role in B account. The following is the sample of the another use case, I will write a new post on this use case in the future