Delegate Access Across AWS Accounts
As a freelancer, I often find that my new clients create an IAM user for me or any other third-party consultants, and send credentials by email or messenger. It doesn’t seem right for me, and here’s why.
First of all, sending credentials by email or messenger is a very insecure way.
Secondly, you don’t need to create and share long-term credentials (passwords, access keys, etc.) for each new third-party.
Thirdly, you’re not the only client, and third-party consultants have many clients, and they have to store clients’ credentials and switch between AWS accounts, it doesn’t sound right!
Few people know, but in AWS IAM, you can create a role for another AWS account, and this third-party account could use its own login to assume this role and gain access into your AWS environment. You only need its AWS account ID.
And here’s how to do it:
2. Paste in third-party account ID;
3. Select “Require external ID” if a third party assumes this role via AWS API/AWS CLI, to prevent the confused deputy problem. You can read more here;
4. Select “Require MFA” it’s optional but strongly recommended;
5. In the next steps, attach permissions policies and tags;
6. In the last step, specify the role name and create it:
The role is created, now open it from the roles list. You will see all the information about the newly created role:
Now, you can copy and send a link to the third-party, so they can switch to this role from AWS console and establish a trusted relationship between your AWS account and their own.
You can also copy and send Role ARN to the third-party, so they can assume this role via CLI/SDK using their AWS account ID and ExternalId.
So, please, stop creating a new IAM user every time you’re going to give a third party access to your AWS resources, create an IAM role instead.
I’m always happy to discuss a new project or collaboration. If you have something in mind or just want to say hello, drop me a line.
Header image by Abraham Palatnik
