amazon web services – How to create a IAM user with permissions on sub-accounts using roles


  • In the root account, create the IAM user.

    The permissions in the Sub-account will be managed by the role permissions(policies).

  • In the sub-account, Go to IAM / Role / Create Role

    2.1. Select tab “Another AWS Account” and paste the Root AccountID

    2.2. Attach any permission that you want

    2.3. Once the Role is created, save the Role name and Role ARN.

  • Go to Roles / Permissions and remove the basic policy that you add previously.

    3.1. Click on “Add inline policy” and select the service and permissions that you want to provide (read, write, list, etc.)
    You also can set the permissions with JSON.

    3.2. Go to Roles / Trusted Relationships Tab, and verify that the Root AccountID appears there.

  • In the Root account go to IAM / Users / user / Permissions and click on “Add inline policy” / JSON Tab

    4.1. Now add the AssumeRole Policy ( https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_permissions-to-switch.html )
    Replace the default ARN with your Role ARN.

  • Verify If you can switch roles with the user.