You can quick switch to any of your AWS accounts with a click of a button on a menu, listing them by name and color.
Wanna learn how to configure that list in a couple of minutes?
Using multiple accounts is a common practice for many organizations. Whether for development environments consolidation, billing separation, and granularity or third party service accounts, using multiple accounts is an everyday necessity.
As a consultant, I need to regularly share my account resources among other in-house accounts as well as with customers’ accounts.
For a while, I used to disconnect and reconnect from one account to another dozen of times a day. When the action became too frequent to bare, I had to find a suitable solution, one that would give me the freedom of hopping from one account to another without the hassle of changing login sessions.
AWS Cross-Account access role is a setup where a given account, validates another account for access, by letting it assume a pre-configured IAM role. The external account’s users and resources can then assume the given role and use the new account’s resources within the boundaries of its IAM role privileges.
Configuring cross-account access role requires a couple of minutes following a few simple steps. By the end of the configuration, you’ll be able to just select “change role” from a drop down menu visible at all times in the AWS console, and make a quick jump to whichever account set with a cross access role:
-
Within the AWS Console, select Services **and search **Identity and Access Management
-
From the sidebar menu at the IAM console, select Roles
-
**Create a New Role **and provide a descriptive name
-
At Select Role Type choose the Role for Cross-Account Access option:
-
Provide the Account ID of the account which you are allowing the access [ Account ID can be located by Support on the top right-hand side and Support Center, the ID will then appear under the **Support **link ]
-
Provide a policy template for the role, whether an AWS managed or a custom constructed policy
-
Approve your changes
Now:
Click your user name on the top right-hand side of your AWS console. Then from the drop-down list select Switch Role
Provide the account name, given role and a color for future quick access from your console menu
From now on, the configured accounts would be available for quick shifting with a single click of a button
Ah, wait, none of us ever actually see the colorful console right? UI is lame.
You run everything from your console right? :)
Let’s see how assuming a cross-account role can be easily done using AWS CLI:
Create a new AWS profile on your AWS CLI configuration file ( Normally found under ~/.aws/credentials )
$ cat ~/.aws/credentials
[profile crossaccountrole]
role_arn = arn:aws:iam::123456789012:role/xaccount
source_profile = default
Once your new cross-account profile is set, you’ll be able to shoot any CLI line using the profile flag
$ aws s3 ls --profile crossaccountrole
Another option is to set an environment variable **AWS_PROFILE **that will be automatically used by any AWS SDK or the CLI
$ export AWS_PROFILE=crossaccountrole
Voilà!
Not only you’ve got all your accounts color coded in the console and ready for quick shifting, but you can use single secret credential for all of your CLI accounts as well.