-
Source account ID: 123456789 ** Devops Group.
-
Destination account ID: 999999999
Create a policy with the content below, specifying each of the destinations.
Name:
DevopsSwitchRole-policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "SwitchRole9999Account",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::999999999:role/DevOps9999Account"
},
{ ... } # Create this block for each account
]
}
On the Devops Group attach the DevopsSwitchRole-policy
On the destination account, create a Role: DevOps9999Account to maintain a trust relationship and create a Policy inline such as bellow:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllExceptBilling",
"NotAction": [
"aws-portal:*",
"awsbillingconsole:*",
"cur:*"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
On tab Trust Relationships, is nedded add the Json bellow, to allow source account access destination account
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789:root"
},
"Action": "sts:AssumeRole",
"Condition": {
"Bool": {
"aws:MultiFactorAuthPresent": "false"
}
}
}
]
}
First install this Addon on Chrome: https://chrome.google.com/webstore/detail/aws-extend-switch-roles/jpmkfafbacpgapdghgdpembnojdlgkdl/related
After, configure the addon to know about accounts, such as:
[9999Account]
aws_account_id = 999999999
role_name = DevOps9999Account
region=us-east-1
color = ff9705
Login in 123456789 account and click on the right top menu, and choose the other account :)