0

I have an AWS account. Let's say my AWS account number is 123456789012. I have created these IAM roles: 

arn:aws:iam::123456789012:role/tiger-123
arn:aws:iam::123456789012:role/tiger-124
arn:aws:iam::123456789012:role/tiger-125
arn:aws:iam::123456789012:role/elephant-101
arn:aws:iam::123456789012:role/elephant-102

I want to allow the AWS account root user of AWS account 111111111111 to be able to list all of the roles in my account that start with tiger. How do I set up the role and policy to do this and what would be the command the other user uses to list those roles?

user35042
  • 2,681
  • 12
  • 34
  • 60

1 Answers1

0

You have to do cross-account access i.e. create a role in 123456789012 account with a trust policy to trust 111111111111 account (or any IAM user/role in 111111111111 account). Please note, you cannot call AssumeRole by using AWS root account credentials and you must use credentials for an IAM user or an IAM role to call AssumeRole.

Once this is done, you can configure AWS CLI with access keys of an IAM entity (user/role) of 111111111111 account and assume the role in 123456789012 account. Then you can use the returned credentials to list IAM roles in 123456789012 account. You can use the source_profile to easily do this in CLI.

It is not possible to limit the permission to only list certain roles and the command to list roles is here.

sudo
  • 181
  • 4