0

I'm a contract web developer, and my client doesn't know anything about managing AWS, but wants to control the billing for the account. So, he wants to give me full access to set up EC2, S3, SES,and RDS.

I told him to create an IAM role for me (IAM > Create Role > Another AWS Account), and I told him which permissions to grant, but from there I'm not sure how to switch to that role.

Is there something else he needs to do to give me access?

Ben Davis
  • 280
  • 1
  • 6
  • 18
  • If you want to access the *console*, I don't think you want an IAM role - those are for servers. IAM > Users > Create User. – ceejayoz Nov 17 '17 at 16:08
  • Actually you do use a role. It is called Cross Account Role. In many ways it is just like roles for servers as STS (Security Token Service) is used for temporary credentials when the role is assumed. – John Hanley Nov 17 '17 at 18:54

2 Answers2

2

Create a user in IAM and give you administrator permissions. This lets you do anything technical, but doesn't let you close the account or see billing information.

You can find step by step instructions here.

Tim
  • 31,888
  • 7
  • 52
  • 78
0

You need to setup Cross Account Access. There are two types. The first is when both accounts are owned by the same organization. The second is when the accounts are not owned by the same organization.

For same account and different account access, start with this tutorial. Then for the second case you will need to create the "External ID". I have provided two links for this. Start with the first link and complete with the second link.

Tutorial: Delegate Access Across AWS Accounts Using IAM Roles

How to Use an External ID When Granting Access to Your AWS Resources to a Third Party

John Hanley
  • 4,754
  • 1
  • 11
  • 21