AWS IAM Assuming Roles

Assume Role via AWS Web Console


Due to the security implications, IAM policies are set up by default to only allow the root AWS account to assume roles into other accounts.

  1. Log into the AWS root acccount

    Example AWS root login

  2. Click on [email protected] @ example-root-aws drop down at the top of the console and select Switch Role

    • Enter the AWS account id of the member account in the Account field
    • Use OrganizationAccountAccessRole as the Role
    • (Optional) Pick Display Name and choose a Color for the role

Example AWS switch role

Assume Role via CLI (using aws-vault)

First, ensure that the proper profiles are setup following Authorization.

Inspect The Environment

$ aws-vault exec $profile -- env | grep AWS

Execute a Command Using Temporary Credentials

$ aws-vault exec $profile -- aws s3 ls