AWS Switch Role Setup

 
 

AWS Switch Role Setup is our next tutorial where we will explain how to setup IAM Policies and IAM Roles in order to switch between multiple AWS accounts without using various credentials for each individual account. Setting up Role Switching within AWS may seem difficult or maybe confusing but in reality this is quite simple and easy to implement. Such a solution will definitely ease your user management tasks and in the same time will give you the flexibility to manage users access in a more granular fashion. For this specific tutorial, which will be a very short one, we will be using only two AWS accounts, first one will be named Master AWS Account and it will be used for user management and a second account that will be called, obviously, Second AWS Account being used for role switching, we may also call this account a tenant account if you want.

Table of contents

Context
Master AWS Account for User Management
Second AWS Account for Switch Role
Conclusion
Notes

Context

Assuming that we have a couple of AWS accounts that we are responsible for and we would like to simplify the way we manage our user accounts and their permissions between all these accounts. Managing individual users for individual or multi AWS accounts it is a very difficult and exhausting task, in time this can only get worse, it will never go away unless we are taking action. The only way to solve this problem is to gather all user accounts under one single AWS account, let’s call it management account or master account and from here we can dictate who should have access to a specific account or more. By having all user accounts in one place make perfect sense, this should be the way to go if we have more than two AWS accounts.

Master AWS Account for User Management

On our very first step with this tutorial we will have to create a new IAM Policy called for example DevelopersSwitchRolePolicy, this particular policy can be later applied to an existing Role or Group within our Master Account, so lets create this policy using the next JSON lines:

{
    "Version": "2012-10-17",
    "Statement": {
        "Effect": "Allow",
        "Action": "sts:AssumeRole",
        "Resource": [
            "arn:aws:iam::222222222222:role/DevelopersAccess"
        ]
    }
}

Lets have a quick overview of this newly created IAM Policy.

As we can see this policy is quite simple but in the same time very powerful, basically within this policy we have just said that whoever uses this – policy attached to a IAM Role or Group – it is Allowed to perform sts:AssumeRole for a specific resource, more precisely for arn:aws:iam::222222222222:role/DevelopersAccess where 222222222222 is the account ID of our Second AWS Account and DevelopersAccess it is an existing role onto this secondary account.

Also, on the Master Account we will have to create a few new user accounts if we don’t have any already in place and we will have to assign these user accounts to a Developers IAM Group for example. Once all desired user accounts were assigned to our Developers group we will attach the above IAM Policy to it. Our master account is now configured and we can move to our next step where we will be defining the secondary account.

Second AWS Account for Switch Role

All we have to do on this secondary account is just to create a new IAM Role called DevelopersAccess like we have declared on our DevelopersSwitchRolePolicy on the Master Account. So we have to make sure that role name matches with our IAM Policy configuration, otherwise AWS Switch Role function will fail.

For testing purpose we can assign a basic predefined AWS policy to this newly created role like for example AmazonS3ReadOnlyAccess. We can later extend this by adding more complex custom policies but for now in order to test our Switch Role setup we can resume to only one basic policy.

That is all we have to do in order to configure role switching, we can now test this by going back to our master account and try to switch the roles by using one of the users that has been assigned to DevelopersSwitchRolePolicy, also we will need the real Account ID of the secondary account, not 222222222222 as in our example.

Master Account (where users are defined) > Switch Role > Provide: Role Assumed (Developers) and Account ID (Example: 22222222222)

Conclusion

Imagine having 50 AWS accounts under management and one of the users have access to 10 of these accounts, when he decides to leave the company we will have to perform 10 tasks to simply remove his account and that only if we remember exactly which accounts he had access to, it is a very slow and ineffective method.

By using this Switch Role Setup we will be able to speed things up by simply removing his account from the master account, very easy and a more elegant way of dealing with user account management.

Notes

Be aware that AWS can store only up to five Account IDs for Role Switching on its browser cookie. If you intend to manage more than five AWS Accounts then you may want to install some extensions for you browser that can help with this, a good example of such extension would be AWS Extend Switch Roles developed by Toshimitsu Takahashi and a few other contributors.

Video

No video posted for this page.

Screenshots

No screenshots posted for this page.

Source code

No code posted for this page.

About this page

Article
AWS Switch Role Setup
Author
Category
AWS
Published
15/10/2019
Updated
15/10/2019
Tags
aws iam stsassume switch role

Share this page

If you found this page useful please share it with your friends or colleagues.