Skip to content

Instantly share code, notes, and snippets.

@fedorg

fedorg/aws_account_sharing.md

Last active July 24, 2023 21:52
Show Gist options
  • Save fedorg/7097e5777d207aaa48fce70e58f3b5b5 to your computer and use it in GitHub Desktop.
Save fedorg/7097e5777d207aaa48fce70e58f3b5b5 to your computer and use it in GitHub Desktop.
Download ZIP
Tutorial: Sharing Administrator Access from One AWS Account to Another
Raw
aws_account_sharing.md

In this tutorial, we'll walk through the steps to share administrator access from one AWS account (Account A) to another AWS account (Account B). This will allow users in Account B to manage resources and perform administrative tasks on resources in Account A. We'll use AWS Identity and Access Management (IAM) roles and cross-account access to achieve this.

Prerequisites:

  1. You must have administrative access to both AWS accounts (Account A and Account B).
  2. Familiarity with AWS IAM and its concepts.

Step 1: Create a Role in Account A

  1. Log in to the AWS Management Console for Account A.
  2. Navigate to the IAM service.
  3. Click on "Roles" in the left navigation pane.
  4. Click on the "Create role" button.
  5. Choose "Another AWS account" as the trusted entity.
  6. Enter the AWS account ID of Account B in the "Account ID" field.
  7. Click "Next: Permissions."
  8. Select the appropriate policies or attach the "AdministratorAccess" policy to this role.
  9. Click "Next: Tags" (optional) and add any relevant tags for the role.
  10. Click "Next: Review."
  11. Provide a name for the role (e.g., "AccountB-Admin-Access") and an optional description.
  12. Click "Create role."

Step 2: Modify the Trust Relationship for the Role in Account A

  1. After creating the role, click on the role you just created in the IAM Roles list.
  2. Click the "Trust relationships" tab.
  3. Click "Edit trust relationship."
  4. Update the JSON policy document with the following trust relationship, replacing "ACCOUNT_B_ID" with the AWS account ID of Account B.
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::ACCOUNT_B_ID:root"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
  1. Click "Update Trust Policy."

Step 3: Share the Role ARN with Account B

  1. Go back to the "Summary" tab of the role you created in Account A.
  2. Copy the Role ARN, which looks like this: arn:aws:iam::ACCOUNT_A_ID:role/AccountB-Admin-Access. Save it for the next step.

Step 4: Grant Permissions in Account B

  1. Log in to the AWS Management Console for Account B.
  2. Navigate to the IAM service.
  3. Click on "Roles" in the left navigation pane.
  4. Click on "Create role."
  5. Choose "Another AWS account" as the trusted entity.
  6. Enter the AWS account ID of Account A in the "Account ID" field.
  7. Under "Permissions," attach policies that define what permissions the users in Account B will have in Account A.
  8. Click "Next: Tags" (optional) and add any relevant tags for the role.
  9. Click "Next: Review."
  10. Provide a name for the role (e.g., "AccountA-Admin-Access") and an optional description.
  11. Click "Create role."

Step 5: Test the Access from Account B to Account A

  1. In Account B's IAM, go to "Roles" and click on the role you created in Step 4 (e.g., "AccountA-Admin-Access").
  2. Click on the "Trust relationships" tab and ensure it has the correct trust relationship as mentioned in Step 2.
  3. Use the "Switch Role" option in the AWS Management Console to test access from Account B to Account A using the Role ARN from Step 3.

That's it! You have now successfully shared administrator access from Account A to Account B in AWS. Users in Account B can now manage resources and perform administrative tasks in Account A using the IAM role you created.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment