As a technical advisor, I often need to access a client’s AWS account with admin or read-only privileges so I can evaluate what they are doing. There are several ways to do this, including using cross-account access using roles. Often, the most straightforward way is for the client to create a user for me in their account and grant that user access.
To give me the right access, the client can follow these steps in AWS as the root user:
Configure AWS Organizations
From the search bar, navigate to AWS Organizations.
If not already enabled → Create Organization
Enable Other Users to Access Billing Info
In the top right, click on the account name.
Scroll down to IAM user and role access to Billing Information and Edit.
Check Activate and click Update.
It should look like:
Create IAM Permissions
From the search bar, navigate to IAM Identity Center.
Enable if not already enabled.
From left-hand bar, Multi-account permissions→ Permission Sets.
Click "Create permission set"
Custom permission set→ Next
Select AWS Managed Policies
Filter by Type→ AWS managed - job function
Check ReadOnlyAccess or AdministratorAccess, depending on your needs. ReadOnlyAccess is probably all I need for the time being. It's easy enough to upgrade later as needed.
Permission set name→ ReadOnly
Tags-> poc = <your name>
- While still in the IAM Identity Center, from left side-bar, click Groups, then Create Group
Fill out the details.
Group Name: Solint
Description: Grant admin privileges and billing access to consultant with Solint
You don’t need to add users at this time.
Create my user
While still in the IAM Identity Center, from left side-bar, click Users, then Add User
Username: my email address.
Leave the password set to email setup.
For email, again use my email address.
Fill out other details as you see fit.
Add my user to Solint group.
While still in the IAM Identity Center, from left side-bar, click Multi-account permissions→AWS accounts.
Under the Users and groups tab, click Assign users or groups
Check the Solint group.
Check ReadOnly or AdministratorAccess, depending on what you provisioned above
Click Next, then Submit.
Trouble finding the button to Assign users or groups?
You may need to click on the Root account to see the management account in which you can assign users and groups.
Please let me know!
I'll get an email inviting me to your account, but feel free to ping me. To revoke my access, you can just undo any/all of the steps above.