Ask or search…
Comment on page

Cross-Account IAM Roles, Explained

An IAM role AWS identity with an access policy that determines what the role can and can’t do in AWS. It is essentially an AWS identity with an access policy that determines what actions the role can perform within AWS. IAM roles can be assumed by other AWS identities that have already been authenticated, allowing them to receive temporary credentials and access to the same permissions as the role. If you've used EC2 instance profiles or AWS Lambda functions, you may be familiar with how roles work.
A cross-account IAM role is a variation of the IAM role that allows other AWS identities in different AWS accounts to assume the role by means of a trust policy. This way, you can create a role in one AWS account that grants specific permissions to another AWS account.
You can also include conditional checks on the trust policy associated with an IAM role to limit how third parties can assume the role. One example of this is the external ID check, which requires the partner to include a specific string, called an external ID, when assuming the role. This is a good way to improve the security of cross-account role handling in a SaaS solution, and should be used by AWS Partner Network (APN) Partners who are implementing a SaaS product that uses cross-account roles.