IAM Policy to Assume a Cross-Account Role
Create an IAM policy allowing a user or service to assume a role in another AWS account. Essential for cross-account access patterns.
Detailed Explanation
STS AssumeRole Policy
Cross-account access in AWS is implemented through role assumption. Account A grants permission to assume a role, and Account B's role trust policy allows Account A to assume it. This policy goes in Account A.
Policy JSON
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowAssumeRole",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": [
"arn:aws:iam::987654321098:role/cross-account-reader",
"arn:aws:iam::987654321098:role/cross-account-deployer"
]
}
]
}
How Cross-Account Access Works
- This policy (in Account A) allows the principal to call
sts:AssumeRole. - The target role's trust policy (in Account B) must also allow Account A to assume it:
{ "Effect": "Allow", "Principal": {"AWS": "arn:aws:iam::123456789012:root"}, "Action": "sts:AssumeRole" } - Both policies must be in place — neither alone is sufficient.
MFA Requirement
For sensitive cross-account roles, add an MFA condition:
"Condition": {
"Bool": {
"aws:MultiFactorAuthPresent": "true"
}
}
Session Duration
When assuming a role, you can specify a session duration (1 hour to 12 hours, depending on the role's max session duration setting). The temporary credentials expire after this period.
Chained Assumptions
A role assumed via AssumeRole cannot itself assume another role (role chaining is limited). Plan your cross-account access hierarchy accordingly.
Use Case
CI/CD pipelines deploying to multiple AWS accounts, monitoring tools aggregating data across accounts, security audit tools scanning resources in member accounts of an AWS Organization.