IAM Tutorial: Delegate access across AWS accounts using IAM roles

Step 1: Create a role

  • You can allow users from one AWS account to access resources in another AWS account.

  • Create a role that defines who can access it and what permissions it grants to users that switch to it.

Step 2: Grant access to the role

  • Add the following policy statement:

{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Action": "sts:AssumeRole",
    "Resource": "arn:aws:iam::PRODUCTION-ACCOUNT-ID:role/UpdateApp"
  }
}

Step 3: Allow user to switch roles

PreviousUnderstanding IAM PoliciesNextExternal ID

Last updated

Was this helpful?