How to Manage AWS Cross-Account Quick Access

March 30, 2017
Contact Us
Weekly Shorts are topics we discuss in our weekly remote meeting related to recent work we have done with our customers
How to Manage AWS Cross-Account Quick Access
Role history: production

You can quickly switch to any of your AWS accounts with a click of a button on a menu, listing them by name and color.

Wanna learn how to configure that list in a couple of minutes?

Using multiple accounts is a common practice for many organizations. Whether for development environments consolidation, billing separation, and granularity or third party service accounts, using multiple accounts is an everyday necessity.

As a consultant, I need to regularly share my account resources among other in-house accounts as well as with customers’ accounts.

For a while, I used to disconnect and reconnect from one account to another dozen of times a day. When the action became too frequent to bare, I had to find a suitable solution, one that would give me the freedom of hopping from one account to another without the hassle of changing login sessions.

AWS Cross-Account access role is a setup where a given account, validates another account for access, by letting it assume a pre-configured IAM role. The external account’s users and resources can then assume the given role and use the new account’s resources within the boundaries of its IAM role privileges.

Configuring cross-account access role requires a couple of minutes following a few simple steps. By the end of the configuration, you’ll be able to just select “change role” from a drop-down menu visible at all times in the AWS console, and make a quick jump to whichever account set with a cross access role:

  • Within the AWS Console, select Services and search Identity and Access Management.
  • From the sidebar menu at the IAM console, select Roles.
  • Create a New Role and provide a descriptive name.
  • At Select Role Type choose the Role for Cross-Account Access option:
Role for cross account access
  • Provide the Account ID of the account which you are allowing the access[ Account ID can be located by Support on the top right-hand side and Support Center, the ID will then appear under the Support link ].
  • Provide a policy template for the role, whether an AWS managed or a custom constructed policy.
  • Approve your changes.


Click on your user name on the top right-hand side of your AWS console. Then from the drop-down list select Switch Role

Provide the account name, given role and a color for future quick access from your console menu

Switch role
Choose a color for quick identification and role switching

From now on, the configured accounts would be available for quick shifting with a single click of a button

Ah, wait, none of us ever actually see the colorful console right? UI is lame.

You run everything from your console right? :)

Let’s see how assuming a cross-account role can be easily done using AWS CLI:

  • ‍Create a new AWS profile on your AWS CLI configuration file[ Normally found under ~/.aws/credentials ]
$ cat ~/.aws/credentials[profile crossaccountrole]role_arn = arn:aws:iam::123456789012:role/xaccountsource_profile = default
  • ‍Once your new cross-account profile is set, you’ll be able to shoot any CLI line using the profile flag
$ aws s3 ls --profile crossaccountrole
  • Another option is to set an environment variable AWS_PROFILE that will be automatically used by any AWS SDK or the CLI‍
$ export AWS_PROFILE=crossaccountrole


Not only you’ve got all your accounts color coded in the console and ready for quick shifting, but you can use single secret credential for all of your CLI accounts as well.

How to Manage AWS Cross-Account Quick Access
Omer Hamerman
Senior Software Operations Architect
Omer is an experienced software operations engineer and an open source contributor. He is always willing to go the extra mile to help our clients improve their software delivery. He is known for getting the job done very quickly and is clear-cut and very sharp, delivering almost any job on the spot. When he’s not helping our clients achieve scalable and resilient infrastructure, you’ll find him rock climbing and bouldering. He is passionate about beautiful code, cybersecurity and doing things right the first time. He is a keen writer of blog posts and a speaker at meetups.