AWS Multi-Account Access Across Organizations

Paulo Carvalho
5 min readNov 29, 2023

As a service provider, freelancer or software factory you may often find yourself needing to quickly switch between multiple AWS accounts. We will explore a way to achieve this using the AWS Identity Center.

Introduction

The AWS Identity Center is the successor of the AWS IAM and allows for centralized control of users to one or many AWS accounts.

Over the course of this article, we are going to review how to grant users managed via the AWS Identity Center access to multiple AWS accounts regardless of the organization to which these accounts belong.

We will achieve this by creating an AWS Role in the account that is to be accessed and a permission set in the main account (the one you own and has your users) that allows assuming the created role in the other account.

Important: For the remainder of this article we will be calling remote the account from the client you are attempting to access and home the one that has your company’s user management.

Configuration

Step 1: Create Role in Remote Account

1 — Access your client’s account (hereafter referred to as remote account) as an administrator via whichever mechanism you usually use.

2 — Navigate to the Roles management area under the IAM section here.

3 — Click on “create role” on the top right of the screen.

4 — Select “AWS Account” as the trusted entity and enter the account ID of your home account (the one your company owns and has your users).

5 — In the next screen, select AdministratorAccess as the AWS management permission policy.

6 — In the next screen, give your role a name. I suggest following the same naming convention for all your clients.

I recommend repeating these steps to create a few different roles for different permission levels:

your-company-name-administrator: For AdministrarAccess

your-company-name-read-only: For ReadOnlyAccess

your-company-name-devops: For specific access to the resources your employees need to manage in client accounts.

Step 2: Create Permission Set

You can imagine the permission set as a group of policies (in this case the ability to assume a role in another account) that can be attached to a user (or group).

1 — Navigate to the AWS IAM Identity Center in your home account and select “Permission sets” on the left menu.

2 — Select “Create Permission Set” on the top right corner.

3 — Select “Custom permission set” and click next.

4 — In the next screen, enter the following “Inline policy”

{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::REMOTE-ACCOUNT-ID:role/the-role-in-remote-account"
}
}

5 — In the next screen, enter the name of your permission set. I recommend choosing a convention such as the one below.

Say you have a client named AbcCorp you would create a permission set for each of the roles you want to be able to assume in their account:

AbcCorpReadOnly → your-company-name-read-only

AbcCorpAdministrator → your-company-name-administrator

AbcCorpDevOps → your-company-name-devops

Step 3: Associate User to Permission Set

For a user to be able to login to AWS via the Identity Center portal for your home account and be able to assume a role on one of the remote accounts they need to be granted access to a permission set.

1 — Navigate to “AWS Accounts” on the left menu and select your home account.

2 — Click on “Assign user or group” on the top right.

3 — Select the user or group you want to grant access to the permission set.

4 — In the next screen, select the permission sets this user (or group) should access.

5 — Click next and create the association.

Accessing Remote Account

1 — You can now login as the user that was associated to the permission set via the your-company.awsapps.com URL found in the AWS Identity Center page.

2 — Once logged in you will see a screen such as the one above. Click on “Management console”. At this point you will be redirected to the AWS console with all the permissions granted to this specific permission set.

3 — You can now assume the role in the remote account by clicking on “switch role” in the menu on the top right of the screen.

4 — Fill out the information as shown below and press “Switch Role” to access the remote AWS accounts with the permissions of the role created in it!

Conclusion

The account access control presented above will allow for your company to centraly manage access to all your client’s accounts for all your employees from a single location.

This solution can be paired with SCIM + SAML with your main account provider (such as Google Workspace) so accounts also get automatically managed from a single location

Need help setting this up or would like to talk to an AWS expert?

Email us at hello@avantsoft.com.br 🚀

--

--

Paulo Carvalho

Want to chat about startups, consulting or engineering? Just send me an email on paulo@avantsoft.com.br.