Granting a User Read-Only Access in AWS.

Granting a User Read-Only Access in AWS.

As a technical advisor, I often need to access a client’s AWS account with admin or read-only privileges so I can evaluate what they are doing. There are several ways to do this, including using cross-account access using roles. Often, the most straightforward way is for the client to create a user for me in their account and grant that user access.

To give me the right access, the client can follow these steps in AWS as the root user:

Configure AWS Organizations

  1. From the search bar, navigate to AWS Organizations.

  2. If not already enabled → Create Organization

Enable Other Users to Access Billing Info

  1. In the top right, click on the account name.

  2. Click Account.

  3. Scroll down to IAM user and role access to Billing Information and Edit.

  4. Check Activate and click Update.

  5. It should look like:

Create IAM Permissions

  1. From the search bar, navigate to IAM Identity Center.

  2. Enable if not already enabled.

  3. From left-hand bar, Multi-account permissions→ Permission Sets.

  4. Click "Create permission set"

  5. Custom permission set→ Next

  6. Select AWS Managed Policies

  7. Filter by Type→ AWS managed - job function

  8. Check ReadOnlyAccess or AdministratorAccess, depending on your needs. ReadOnlyAccess is probably all I need for the time being. It's easy enough to upgrade later as needed.

  9. Click Next

  10. Permission set name→ ReadOnly

  11. Tags-> poc = <your name>

  12. Next, Create

Create Group

  1. While still in the IAM Identity Center, from left side-bar, click Groups, then Create Group

  1. Fill out the details.

    1. Group Name: Solint

    2. Description: Grant admin privileges and billing access to consultant with Solint

  2. You don’t need to add users at this time.

  3. Create Group

Create my user

  1. While still in the IAM Identity Center, from left side-bar, click Users, then Add User

  2. Username: my email address.

  3. Leave the password set to email setup.

  4. For email, again use my email address.

  5. Fill out other details as you see fit.

  6. Click Next

  7. Add my user to Solint group.

  8. Click Next.

Assign Permissions

  1. While still in the IAM Identity Center, from left side-bar, click Multi-account permissions→AWS accounts.

  2. Under the Users and groups tab, click Assign users or groups

  1. Check the Solint group.

  2. Check ReadOnly or AdministratorAccess, depending on what you provisioned above

  3. Click Next, then Submit.


Trouble finding the button to Assign users or groups?

You may need to click on the Root account to see the management account in which you can assign users and groups.

Other Problems?

Please let me know!

Wrapping Up

I'll get an email inviting me to your account, but feel free to ping me. To revoke my access, you can just undo any/all of the steps above.