This gist contains sample policy I used in my article at https://ismailyenigul.medium.com/how-to-setup-multi-aws-accounts-assume-role-with-aws-cli-45ae869661ed
For admin access from security to other accounts. save as admin-external-accounts.json
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": [
"arn:aws:iam::725335846599:role/allow-admin-from-security-account",
"arn:aws:iam::989175535319:role/allow-admin-from-security-account",
"arn:aws:iam::211047650761:role/allow-admin-from-security-account",
"arn:aws:iam::320385056066:role/allow-admin-from-security-account"
]
}
]
}
Read only user assume policy in security account. save as ro-external-accounts.json
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": [
"arn:aws:iam::725335846599:role/allow-read-only-from-security-account",
"arn:aws:iam::989175535319:role/allow-read-only-from-security-account",
"arn:aws:iam::211047650761:role/allow-read-only-from-security-account",
"arn:aws:iam::320385056066:role/allow-read-only-from-security-account"
]
}
]
}
Trust policy from security account(026445672617) to dev/stage/prod/mgmt account for allow-admin-from-security-account or allow-read-only-from-security-account roles on dev/stage/prod/mgmt accounts Copy this as trust-policy-from-security-account.json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::026445672617:root"
},
"Action": "sts:AssumeRole"
}
]
}